Embed Size (px)
Citation preview
The Distinction Between Fixed and Random Generators in
Group-Based Assumptions
James Bartusek∗ Fermi Ma† Mark Zhandry‡
Princeton University
Abstract
There is surprisingly little consensus on the precise role of the generator g in group-based assumptionssuch as DDH. Some works consider g to be a fixed part of the group description, while others take it tobe random. We study this subtle distinction from a number of angles.
• In the generic group model, we demonstrate the plausibility of groups in which random-generatorDDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that suchgroups have interesting cryptographic applications.
• We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems withpreprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant successprobability regime if the generator is random. We resolve this by proving tight lower bounds forthe random generator variants; our results formalize the intuition that using a random generatorwill reduce the effectiveness of preprocessing attacks.
• We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributionsare particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discoverthat the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev,Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requiresa fixed generator. In response, we formulate an alternative fixed-generator assumption that sufficesfor a new construction of non-malleable point obfuscation, and we prove the assumption holds inthe generic group model. We also give a generic group proof for the security of fixed-generator,low-entropy DDH (Canetti, Crypto 1997).
1 Introduction
Starting with the seminal work of Diffie and Hellman [DH76], the Computational Diffie-Hellman (CDH)assumption in certain cyclic groups has become a core pillar of modern cryptography. For a finite cyclicgroup G and generator g, the assumption holds if it is hard to compute gab given (g, ga, gb) for randoma, b. The corresponding Decisional Diffie-Hellman (DDH) assumption, introduced by Brands [Bra94], isthat given (g, ga, gb) for random a, b, it is hard to distinguish gab from gc for random c.
A somewhat subtle issue is the precise role of g in these assumptions: is it fixed in the group description,or is it randomly chosen along with a and b? For CDH in groups where the totient of the order is known,a folklore equivalence between the fixed and random generator variants exists (e.g. see Chapter 21 ofGalbraith’s textbook [Gal12]). For DDH, Shoup [Sho99] observed that the fixed generator assumptionappears to be a stronger assumption than the random generator version, though a formal separation between
∗[email protected].†[email protected].‡[email protected].
1
the two is unknown. Despite this apparent distinction, the cryptographic literature commonly refers to boththe fixed and random generator variants simply as “DDH”.1
A likely explanation for this practice is that in most applications of cryptographic groups, it is straight-forward to switch between fixed and random generators. For example, in ElGamal encryption [ElG84], userswho want the additional security of random-generator DDH can easily specify a random generator in theirpublic key.
Sadeghi and Steiner [SS01] observed that this justification does not apply in settings where the choiceof group generator is left to a potentially untrusted party.2 They give the example of a bank that offersits customers an anonymous payment system, claiming provable security under group-based assumptions.If the bank is free to choose parameters such as the group generator, then for security it is crucial thatany underlying assumptions hold in their (stronger) fixed generator form. While Sadeghi and Steiner didnot point to specific assumptions that can be broken simply by fixing the group generator, they stressedthat continuing to conflate these distinct assumptions could lead to serious ambiguities and mistakes in thefuture.
In the nearly two decades since Sadeghi and Steiner [SS01] first called attention to the above issue,dozens of new and increasingly sophisticated group-based assumptions have been introduced. Accordingly,researchers have devoted significant effort to evaluating the plausibility of these assumptions (e.g. [BFF+14,DHZ14]), frequently in idealized models such as the generic group model [Nec94, Sho97, Mau05]. Weobserve that these generic group justifications generally ignore the question of whether the generator isfixed or random, but that in most cases this distinction does not seem to affect real world security of theseassumptions.
In this work, however, we will see that this is not always the case.
1.1 Our Results
We first examine how the fixed vs. random generator distinction affects the classical Discrete-Log, CDH,and DDH problems in a variety of different settings, obtaining the following results:
• Generic Separations for CDH and DDH. We prove that fixed- and random-generator DDH areinequivalent assumptions in the generic group model [Nec94, Sho97, Mau05]. We show that for groupsof unknown order, fixed- and random-generator CDH are also inequivalent assumptions in the genericgroup model. In addition, we give evidence (relying on a new assumption about arithmetic circuits)that they are inequivalent even if the group order is known but its factorization is not.3
• Split-CDH and Split-DDH Groups. We define Split-CDH (resp. Split-DDH) groups for whichthe fixed-generator variant of CDH (resp. DDH) is easy but the random-generator variant is hard,and we observe that such groups imply interesting cryptographic applications. A split-CDH groupcan be turned into a self-bilinear map [YYHK14, KKS15] where the random-generator variant ofthe Multilinear CDH assumption holds. This implies powerful primitives such as multiparty non-interactive key agreement (with trusted setup).4 A split-DDH group can be used to instantiate avariant of the Boneh-Franklin identity-based encryption [BF01] scheme. We stress here that givingcandidate constructions of these groups is outside of the scope of this work. On the negative side,we prove that a natural class of non-interactive key exchange protocols (without trusted setup) areinsecure in certain split-CDH groups.
1For example, the Katz-Lindell textbook [KL] defines DDH with a fixed generator, while Cramer-Shoup [CS98] defines DDHwith a random generator.
2Sadeghi and Steiner [SS01] actually consider the more general possibility of the untrusted party choosing the group itselfmaliciously. This question is beyond the scope of our work, but in many cases it is an equally important consideration.
3This inequivalence was also suggested by Saxena and Soh [SS06].4A similar observation was also made in [SS06].
2
• Asymptotic Bounds for Discrete-Log and CDH with Preprocessing. We revisit the recentwork of Corrigan-Gibbs and Kogan [CK18], which seemingly resolves the generic hardness of Discrete-Log and CDH with preprocessing. We observe that while their lower bounds are tight for the fixed-generator variants, they leave a gap in the random-generator setting for algorithms with sub-constantsuccess probability. We close these gaps by proving tight lower bounds for the random-generatorvariants. Our bounds suggest that using a random generator can reduce the impact of preprocessingattacks, and in turn group parameters can be set more aggressively than previously thought in situationswhere random-generator Discrete-Log or CDH are sufficient.
Next, we turn our attention to the class of Diffie-Hellman-like assumptions involving non-uniform randomexponents. An example of such an assumption is Canetti’s “DDH-II” assumption [Can97], which states thatDDH remains hard even if the exponent a in (g, ga, gb, gab) is drawn from a well-spread distribution (sothat a has super-logarithmic min-entropy). While these assumptions are somewhat undesirable due to theirnon-standard nature [GK16], Wee [Wee05] showed that these assumptions (ones that require hardness givenonly super-logarithmic entropy) are necessary for applications such as point-function obfuscation.
Before we rely on such assumptions, it is important to rule out idealized adversaries that attack theunderlying structure of the assumption. The most common technique for achieving this is to prove theassumption holds in the generic group model [Nec94, Sho97, Mau05]. Such proofs certainly do not implythe validity of the assumption; instead, these proofs are generally viewed as a minimal level of guarantee weneed to gain confidence in an assumption [BFF+14].
Our central focus is on the recently proposed “Strong Power DDH” assumption of Komargodski andYogev [KY18a]. The assumption states that for x sampled from any arbitrary well-spread distribution D,
that gx, gx2
, . . . , gxk
is indistinguishable from k uniformly random group elements. Our results are thefollowing:
• Strong Power DDH is False for a Fixed Generator. We demonstrate the “Strong Power DDH”assumption underlying Komargodski and Yogev’s non-malleable point obfuscator [KY18a] as well asFenteany and Fuller’s non-malleable digital locker [FF18] is false in the fixed-generator setting. Thisresults from a subtle issue in the order of quantifiers; if g is fixed, an arbitrary well-spread distri-bution could depend on g. For example, x can come from the distribution that conditions on thebit-representation of gx beginning with 0. Unfortunately, these constructions can only be instantiatedwith a fixed generator, so the original security proofs in [KY18a] and [FF18] must rely on a falseassumption.5,6
In response to private communication from the authors of this work, Komargodski and Yogev haveoffered a simple fix [KY18b] for their original construction through a new “Entropic Power DDH”assumption.7 This new assumption suffices for non-malleable point obfuscation and is formulatedprecisely to address the vulnerability described above.
• Fixing Non-Malleable Point Obfuscation and Justifying Assumptions in the GenericGroup Model. In this work, we offer an alternative resolution. We construct a new non-malleablepoint obfuscator that is qualitatively different from the one in [KY18a]. Security of our constructionrelies on a newly formulated fixed-generator entropic assumption that we prove holds in the genericgroup model. Note that neither the Strong Power DDH Assumption [KY18a] nor the revised EntropicPower DDH Assumption [KY18b] come with generic group proofs of security.
5Relying on a random generator would require a common random string, which is not the model considered in [KY18a] orin the version of [FF18] dated Jan 30, 2019 at eprint.iacr.org/2018/957/20190130:190441.
6This issue appears in the Eurocrypt 2018 version of [KY18a], in an older ePrint version of [KY18b] dated May1, 2018 at eprint.iacr.org/2018/149/20180211:142746, and in the ePrint version of [FF18] dated Jan 30, 2019 ateprint.iacr.org/2018/957/20190130:190441.
7This refers to the newer ePrint version of [KY18b] dated Feb 21, 2019 available athttps://eprint.iacr.org/2018/149/20190221:133556.
3
Along the way, we develop general techniques (based heavily on [CDG18]) for proving generic securityof non-standard, entropic assumptions. As a final contribution, we demonstrate the applicabilityof these techniques by showing that the fixed- and random-generator versions of Canetti’s DDH-IIassumption [Can97] hold in the generic group model.8 This assumption has been used in both itsfixed-generator form (e.g. [KLRZ08, CD08, DHZ14]) and random-generator form (e.g. [Can97, BC10]).
1.2 Reader’s Guide
Our contributions (and the following technical overview) are divided into 4 parts.
• Part 1 is collection of generic-group-based results that explore the fixed- or random-generator distinc-tion for Discrete-Log, CDH, and DDH. We also describe our new split-CDH and split-DDH groups.These results are contained in Section 3.
• Part 2 is a discussion on the negative implications of the fixed- or random-generator distinction, witha focus on trusted set-up in Diffie-Hellman Key Exchange. The key technical result in this sectionis a black-box separation between random-generator CDH and a natural class of non-interactive keyexchange protocols. This part is in Section 4.
• Part 3 considers the problem of generic algorithms with preprocessing in the random-generator setting.Our lower bound for random-generator Discrete-Log and CDH is in Section 5.
• Part 4 studies the problem of non-malleable point obfuscation. We give our construction and provesecurity under a new assumption in Section 6. We justify our new assumption with a generic groupmodel proof in Section 7. Our generic group model proof for DDH-II can be found in Section 7.3.
We encourage any readers interested in non-malleable point obfuscation or generic group proof techniquesto first read Part 4 in the following technical overview before visiting the proofs in Section 6, Section 7, andSection 7.3.
1.3 Technical Overview
1.3.1 Part 1: Generic Separations and Split Groups.
Formalizing the Distinction. We will assume some process for generating a group description G oforder N . This group description is assumed to include a generator g. The fixed-generator DDH assumption,or f-DDH, states that the tuples (gx, gy, gxy) and (gx, gy, gz) are computationally indistinguishable, giventhe description of G. Here, x, y, z are chosen randomly in ZN . On the other hand, the random-generatorDDH assumption, or r-DDH, states that the tuples (h, hx, hy, hxy) and (h, hx, hy, hz) are computationallyindistinguishable. Here, x, y, z are chosen randomly in ZN , and h is a random generator of G (chosen,say, by setting h = gr for a random r in Z∗N ). We can also define fixed- and random-generator variantsof Computational Diffie-Hellman (CDH) and Discrete-Log (DLog). For example, f-CDH states that given(gx, gy) for random x, y, it is computationally infeasible to find gxy.
We consider the following three settings of groups: known prime group order, known composite grouporder of unknown factorization, and unknown group order. For each of the three assumptions and threesettings (for 9 instances in total) we explore the relationship between the fixed- and random-generatorvariants. Trivially, the f- variants of the assumptions are at least as strong as the r- variants. In the otherdirection, some instances have known or folklore reductions showing equivalence [Gal12]. For each of thecases that do not have a proof of equivalence, we provide a separation. This is formalized by augmentingthe generic group model [Sho97] with an oracle for the f- variant, and showing (potentially under reasonablecomputational assumptions) that the r- variant still holds. Table 1 summarizes our findings.
8Previously, such proofs had been obtained by Bitanksy and Canetti [BC10] and Damgard, Hazay, and Zottarel [DHZ14],who considered the random- and fixed-generator versions, respectively. We observe that both of these proofs treat the well-spread distribution as independent of the generic group labeling. Our proof handles distributions with arbitrary dependence onthe labels; for more discussion refer to Part 4 of Section 1.3.
4
DLog CDH DDHKnown Order X X ×
(FL/Lemma 5) (FL) (Theorem 2)Unknown Factorization X ×? ×
(FL/Lemma 5) (Theorem 4) (Theorem 2)Unknown order X ×? ×
(FL/Lemma 5) ([YYHK18]/Theorem 3) (Theorem 2)
Table 1: Generic equivalences and separations. FL denotes a folklore result. X means that the fixed andrandom generator versions are equivalent. × means that the random generator version is harder than thefixed generator version (in the generic model). ×? means the result holds under a plausible conjecture.
Applications of Split Groups. Looking at Table 1, we see that in the case of DDH, there is the potentialfor a group where f-DDH is easy but r-DDH is hard. We will call such groups split-DDH groups. Similarly,if the group order is unknown, potentially f-CDH is easy but r-CDH is hard; we call such groups split-CDH groups. In this section, we will see that such split Diffie-Hellman groups have useful cryptographicapplications.
First, we observe that a split-CDH group is very close to a self-bilinear map [YYHK14]. A self-bilinearmap is a group G together with a pairing e : G2 → G such that e(gx, gy) = e(g, g)xy. Let g1 = g andgn = e(g, gn−1). A typical computational assumption on self-bilinear maps would be the multilinear CDH
assumption [BS02]: for any n > 1, given gx0 , . . . , gxn , it is hard to compute g∏ni=0 xi
n . Notice that by applying
the mapping e(·, ·), it is only possible to compute g∏ni=0 xi
n+1 .An f-CDH oracle gives such an oracle where e(g, g) = g. Therefore, a split-CDH group gives all the
functionality of a self-bilinear map. But notice that since e(g, g) = g, gn = g for any n. Therefore, themultilinear CDH assumption is false. However, we observe that if we choose a random element h, thene(h, h) = hr where h = gr. As such, the f-CDH oracle would also give a self-bilinear map with respect to therandom generator h. We then show that multilinear CDH is actually hard relative to h, assuming r-CDH ishard. Thus, we obtain a self-bilinear map from any split-CDH group. As a consequence, following [YYHK14]we would immediately obtain multiparty non-interactive key agreement, broadcast encryption satisfying adistributed setup notion [BZ14], and attribute-based encryption for circuits.
In Section 3.2 we show that Split-DDH groups allow for a simple identity-based encryption (IBE) schemebased on the Boneh-Franklin [BF01] construction.
Our results above demonstrate that finding groups where f- and r- assumptions are separated yieldsinteresting applications. In the next part, we discuss the negative implications of differing hardness betweenf- and r- assumptions.
1.3.2 Part 2: Trusted Setup Assumptions
The previous sections demonstrated that the f- and r-DDH assumptions are distinct assumptions that maynot both be true. But then which DDH assumption should be used? In practice, g is typically part of astandards library chosen by a trusted third party (e.g. NIST). As such, users have essentially three choices:
1. Believe that the trusted third party chose g at random, and use the r-DDH assumption.
2. Do not trust the third party, but instead assume that there are no bad g. In other words, rely on thef-DDH assumption for g.
3. Do not trust the third party, but instead have one of the users generate a random g and distribute itto everyone else. Then rely on r-DDH.
Option 1 means that users need to trust that no one could have subverted g and chosen a bad generatorfor which DDH is actually easy; history has shown such trust could very well be misplaced. Only Options 2and 3 remove the need to trust a third party.
5
Remark 1. Note that to remove trusted setup assumptions entirely, we would need to ensure that G itself isguaranteed to satisfy f-DDH. One option is to assume that both G and g were generated by a deterministicprocess, so that all parties can calculate G, g for themselves without any setup. For groups based on finitefields, this requires deterministically generating large primes; while no polynomial-time provable algorithmsare known, there are very simple heuristic algorithms. For elliptic curve-based groups, other options areavailable (e.g. using a field with small characteristic). For one approach to deterministic curve generation,see [BCLN16].
In most cases, it is straightforward to switch between Options 2 and 3. A scheme designed for f-DDH canoften be converted into a scheme that relies only on r-DDH by having one of the parties choose a randomgenerator. On the other hand, a scheme designed for r-DDH can often be converted into an f-DDH schemeby fixing a group element and not including it with the user’s messages, saving slightly on transmission costs.
The above means slightly different parameter sizes for the two assumptions. For example, for public keyschemes, the extra group element would naturally go in the public key. The result is that schemes secureunder r-DDH naturally require one additional group element in the public key relative to the f-DDH analog.As authors often compare parameter sizes in terms of group elements (e.g. [Fuj16]), it is important that theyclearly identify which assumption is used.
In some cases, however, switching between f-DDH and r-DDH will have a more profound impact. Forexample, in a protocol between mutually distrusting parties, which party will be entrusted to come up withthe generator? While we are not aware of any instances of protocols in the literature that cannot be made towork with a random generator, it is straightforward to devise protocols where no single party can be trustedto choose the generator. As such, care must be taken when using the r-DDH assumption in these settings.
Diffie-Hellman Key Exchange. For the remainder of this section, we will focus on a concrete settingwhere it is not possible to trivially switch between f-DDH and r-DDH: Diffie-Hellman key exchange. Inthe protocol, Alice chooses a random a ← ZN and computes A = ga, and Bob chooses a random b ← ZNand computes B = gb. Then the two parties exchange A,B. In most treatments, Diffie-Hellman is a non-interactive key exchange (NIKE), which means that A and B are sent simultaneously. Alice then computesthe secret key K = gab = Ba and Bob computes K = gab = Ab. By the DDH assumption, an eavesdropperwho learns A,B can learn nothing about K.
The key issue here is that Alice and Bob need to know g in order to generate their first message. So if wewant one of them, say Alice, to come up with the generator, the result is an interactive protocol with Alicesending the first message, and only then can Bob send his. Therefore, in addition to requiring slightly morecommunication, Option 3 actually changes the nature of the protocol. What we see is that Diffie-Hellmancan only remain a setupless NIKE under the f-DDH assumption.
Now, it is possible to alter Diffie-Hellman to work with CDH by extracting hardcore bits from theunpredictable key. By the equivalence of f-CDH and r-CDH in known prime-order groups, we can obtaina setupless NIKE protocol from r-CDH (and hence also r-DDH). In groups of unknown order, however,this does not apply. As our main technical result from this section, we give evidence that in groups wherethe totient of the order is unknown, r-CDH alone is insufficient for constructing setupless NIKE. This isformalized by assuming that f-CDH is easy and demonstrating an attack on a wide class of key agreementprotocols that generalize the classical Diffie-Hellman protocol.
1.3.3 Part 3: Random-Generator Discrete-Log and CDH with Preprocessing.
A recent line of works [Mih, LCH11, BL13, CK18, CDG18] have explored non-uniform attacks on variousproblems in cryptographic groups. Here, a computationally expensive offline pre-processing stage generatesan advice string, which in a later online stage can be used to speed up computation in the group. We areinterested in the relationship between the length S of the advice string, the running time T of the onlinestage, the group order N , and the success probability ε.
6
Very recently, Corrigan-Gibbs and Kogan [CK18] seemingly resolve the non-uniform hardness of the
discrete logarithm problem. Namely, they show in the generic group model that ε = O(ST 2/N), where the
O hides logarithmic factors. This matches known upper bounds (attacks) up to logarithmic factors.However, all the works in this line (both lower bounds and attacks) only consider the fixed generator
version of discrete log. Corrigan-Gibbs and Kogan briefly mention this, concluding that “using a fixedgenerator is essentially without loss of generality” since a discrete log with respect to one generator can besolved by solving two discrete logs with respect to a different generator.
When considering just polynomial reductions between problems, the above is certainly true. However,when it comes to precisely quantifying hardness, the problem no longer remains identical for different gener-ators. In particular, suppose we have an algorithm that solves discrete log with respect to generator g withprobability ε and we want to solve a discrete log instance with respect to generator h = gr. To do so, oninput hx, we apply the algorithm twice to find the discrete logs of h and hx with respect to g. This gives rand rx, allowing us to solve for x. But since we needed to solve both instances correctly, our overall successprobability is only ε2. Of course if ε is a constant so is ε2, but in the low success probability regime, squaringthe advantage significantly changes the hardness of the problem.
We resolve the question of the hardness of random-generator discrete log in the pre-processing setting,
showing that ε = Θ(T 2
N + S2T 4
N2
). The attack side is simple: there are two natural ways to attack a
random-generator discrete log instance h, hx. One is to ignore the pre-processing, and apply the Baby-step
Giant-step algorithm, with success Ω(T2
N ). The other is to use the pre-processing to solve two discrete log
instances relative to some fixed generator g, in the manner described above. This gives success Ω((ST2
N )2),as shown in [CK18]. By choosing which algorithm to use based on the parameters S, T,N , one obtains
ε = Ω(T 2
N + S2T 4
N2
).
On the other hand, to prove the lower bound we need to show, essentially, that the two algorithms aboveare the only possible algorithms. This does not follow from the analysis of [CK18]. Instead, we use the toolsdeveloped in subsequent works [CDGS18, CDG18] (based on the earlier pre-sampling techniques developedby Unruh [Unr07] for the Random Oracle model) to switch to a “bit-fixing” model, where we then showthe optimality of the algorithms. In addition, we show that the same relationship holds as well for r-CDH.Generically, auxiliary input r-CDH is as hard as either using the auxiliary information to solve two discretelogarithms, or ignoring the input and solving one discrete logarithm.
1.4 Part 4: Low-Entropy Fixed-Generator Assumptions
Background: Point Obfuscation from Low-Entropy Assumptions. Our discussion thus far hasfocused on Discrete Log/Diffie-Hellman-type assumptions where ga, gb are uniformly random group elements.However, the security of many important cryptographic applications often relies on a stronger version of theseassumptions in which a and/or b might not be drawn uniformly at random.
Canetti’s construction of point function obfuscation is perhaps the most well-known example.9 A pointfunction fx(·) is a boolean function that accepts on x and rejects on all other inputs. Roughly speaking, anobfuscated point function O(fx(·)) implements the same input/output functionality as fx(·), but leaks noinformation about x beyond what can be learned through black-box oracle queries to fx(·). In other words,the obfuscated program acts as a virtual black box for evaluating the function.10 Canetti’s point functionobfuscator is simple: to obfuscate fx(·), draw a random group element gb and output (gb, gxb). Evaluationon input y is done by computing (gb)y and accepting if it matches gxb.
The security of this construction follows from an assumption Canetti refers to as DHI-II (in subsequentworks it has been renamed to “DDH-II”; we will adopt this name), which states that (g, ga, gb, gab) ≈C(g, ga, gb, gc) where g is a random generator, b, c are chosen uniformly at random, and a has super-logarithmic
9Canetti’s results [Can97] were originally described in the language of “oracle hashing”; the equivalence to point functionobfuscation was later pointed out by Wee [Wee05]. We describe Canetti’s results in Wee’s terminology.
10We defer a more detailed discussion on virtual-black-box obfuscation to [BGI+01] (see [Wee05] for specifics on point functionobfuscation).
7
min-entropy, i.e. it is sampled from a well-spread distribution D. We stress that DDH-II is technically aninfinite family of assumptions, since it requires indistinguishability if D is any well-spread distribution (evenones that are not efficiently sampleable).
Under DDH-II, the obfuscated program (gb, gxb) hides all information about the point x as long as x isdrawn from a well-spread distribution, since gxb is indistinguishable from gc. This immediately implies anotion of average-case virtual-black-box (VBB) security. Canetti proves that if a point function obfuscatoris average-case VBB for any well-spread distribution, this implies full (worst-case) VBB security. It waslater shown by Wee ([Wee05], Section 4.2) that Canetti’s approach is essentially inherent: VBB-secure pointfunction obfuscation requires strong assumptions that are hard for any well-spread distribution.
Background: Non-Malleable Point Obfuscation. Canetti’s original motivation for studying point ob-fuscation was to realize useful properties of random oracles [BR93] in the standard model. If H(·) is a randomoracle, observe that H(x) is a secure point obfuscation of fx(·), where evaluation is a single random oraclecall followed by a comparison. Komargodski and Yogev [KY18a] observe that the random oracle obfuscatorH(x) satisfies a strong non-malleability property, in the sense that given H(x) it is impossible to computeH(f(x)) for any (meaningfully) related point f(x), without first recovering x. This property is missing fromCanetti’s point obfuscator [Can97], e.g. since given (gb, gxb), one can easily compute (gb, g(x+1)b), which isan obfuscation of the related point f(x) = x+ 1.
Komargodski and Yogev [KY18a] propose the following modification to Canetti’s point obfuscator. To
obfuscate the point x, sample a random b and output (gb, (gb)gx4+x3+x2+x
). Note that for this expression to
make sense, gx4+x3+x2+x must be mapped back into the exponent space under some fixed public mapping.
Evaluation on input y is done by computing gy4+y3+y2+y, mapping this element back to the exponent space
and raising gb to that power, and finally comparing to (gb)gx4+x3+x2+x
.Komargodski and Yogev [KY18a] argue their obfuscation resists bounded-degree polynomial mauling
attacks, in which an adversary given an obfuscation of x attempts to produce an obfuscation of P (x) for somebounded-degree polynomial P (·). Roughly, the intuition is that the adversary cannot replace gb with any
other gb′, since generating (gb
′)gP (x)
does not appear possible given only (gb)gx4+x3+x2+x
. But if the adversarycannot change gb, the argument is that the linear constraints imposed by the form of x4 + x3 + x2 + x makeit impossible to replace x with P (x).
Formally, security in [KY18a] is proved under the newly introduced “Strong Power DDH” assumption,
which states it is hard to distinguish gx, gx2
, . . . , gx`
from ` random group elements, if x is drawn from anywell-spread distribution.
Fixed-Generator Strong Power DDH is False. In stating the assumption, Komargodski and Yo-gev [KY18a] do not specify how g is chosen or the relationship between g and the distribution over x. Weobserve that if g is a fixed generator, then their assumption is false. For a uniformly random group element,there must be some bit in its description with noticeable entropy. If it is bit i, we let D be the distributionover all points x such that the ith bit of the description of gx is 0. Then D has high min-entropy, andmoreover gx for x← D is distinguishable from a random group element by inspecting the ith bit.
If the assumption is taken in its random-generator formulation, the security proof in [KY18a] breaksdown, since an adversary can potentially replace g with a different generator g′. A natural idea to fix theconstruction would be to generate g using a public source of randomness.11 However, this would move theconstruction into the CRS model, where strong non-malleability results were previously known [CV09].
Fixing Non-Malleable Point Obfuscation. We remedy this situation by giving an alternative low-entropy fixed-generator assumption, and proving that this assumption is sufficient to achieve their notion of
11As noted in Section 1.1, Komargodski and Yogev have offered a fix through a new Entropic Power DDH Assumptionin a revised ePrint posting [KY18b], which does not come with a generic group proof. The goal of this section is to buildnon-malleable point obfuscation from an assumption that holds against generic adversaries.
8
non-malleable point obfuscation. We formulate our assumption in a way that allows us to prove it holds inthe generic group model. Our assumption is the following:
Let p ∈ [2λ−1, 2λ] and let n be at most poly(λ). Fix a group G of order p along with a generatorg, and draw k2, . . . , kn uniformly at random from Zp. For any well-spread distribution D over Zp,no efficient adversary can distinguish gkix+xii∈2,...,n for x← D from n− 1 uniformly randomgroup elements, even given k2, . . . , kn.12
The intuition for the design of this assumption is the following. We want to modify the group elementsgx, gx
2
, . . . in Strong Power DDH to block distributions D which “condition” on the fixed g, as we havealready seen how such distributions falsify the assumption. However, we are restricted to modifications thatpreserve our ability to perform a security reduction for the proof of non-malleability, as in [KY18a].
Without delving into the non-malleability security proof itself, the key requirement is that the reductionmust be able to construct specific polynomials (in x) in the exponent. We tweak the construction so thatthe reduction can construct a polynomial of the form ax + x2 + x3 + x4 + x5, where a is an arbitrarybut known scalar.13 Then by using terms of the form gkix+xi , we enable the reduction to construct thispolynomial by simply multiplying the i = 2, . . . , 5 terms; it will know a since the ki’s are given in the clear.Intuitively, the ki scalars contribute enough randomness to prevent distributions D which make the gkix+xi
terms distinguishable from random.Our resulting construction of non-malleable point obfuscation is (essentially) a, gax+x2+x3+x4+x5
. Wenote that our construction does not require the “double exponentiation” of [KY18a]. The full constructioncomes with two additional scalars and group elements that ensure that x is the only accepting input.
Discussion: Low-Entropy Fixed Generator Assumptions in the Generic Group Model. Inorder to gain confidence in our assumption, we prove it secure in the generic group model. As discussedin Section 1.1, this is usually viewed as a minimum requirement in order to gain confidence in a new group-based assumption. Recall that in the generic group model, group elements gx are replaced with random“labels” σ(x), where σ is a uniformly random injection from the space of exponents to some space of labels.An oracle stores the entire description of σ, and allows the generic adversary oracle access to honest groupoperations. For example, an adversary with labels σ(x), σ(y) can request the label for σ(x+ y).
We find that in the setting of fixed generator lower entropy assumptions, the standard intuition fordesigning generic group model proofs falls short. Our goal is to prove no generic adversary can distinguishbetween ki, σ(kix+xi)i∈2,...,n and ki, σ(ri)i∈2,...,n for uniformly random ki, ri, and x← D. Since thegroup and generator are fixed in this assumption, we must consider distributions which depend on the groupdescription itself. So in the generic model, any distribution D should be viewed as the output distributionof a potentially inefficient sampling algorithm S that is free to scan the entire labeling function σ.14 Theonly requirement we enforce is that given σ, the point x← S(σ) has super-logarithmic entropy.
To illustrate the difference in this setting, suppose for a moment that the sampler S had to output xwithout seeing σ (as is the case when x is drawn uniformly at random from Zp). The standard generic groupargument for indistinguishability would use the following structure:
Imagine treating x as a formal variable instead of as a randomly drawn value. This replacesthe group exponent space Zp with formal polynomials Zp[x], so the oracle now returns labelsby sampling a uniformly random label from the image of σ each time it encounters a distinctformal polynomial. Observe that there are no (non-trivial) linear combinations of the kix+xii
12We remark that the assumption we actually use is slightly different: instead of stating indistinguishability from uniform,
we require indistinguishability from gkiy+yii∈2,...,n for the same kii but uniformly random y. We can prove both formsof this assumption hold in the GGM, but this second form yields a simpler proof of VBB security. For the purposes of thistechnical overview this distinction can be ignored.
13In the full proof of non-malleability, the reduction must be able to construct other higher degree polynomials, which is whywe need the assumption to hold for n = poly(λ).
14In order to leverage Canetti’s proof that average-case VBB implies worst-case VBB for point functions, average-case securitymust hold even for inefficiently sampleable well-spread distributions.
9
polynomials (taken as formal polynomials in x) that evaluate to identically zero polynomials overx. This implies that the adversary will never encounter non-trivial collisions in the labels it sees,and we can use the Schwartz-Zippel Lemma to argue that the adversary’s view is identical in theworld where x is random instead of a formal variable.
This type of argument breaks down if S can choose x after seeing the labeling function σ. Now S can tryto pick x so that σ(kix+ xi) conveys non-trivial distinguishing information to the adversary. In particular,it is no longer accurate to argue that we can produce an identical view for the adversary by replacing x witha formal variable.
We could intuitively hope that S is powerless to pick x that can bias the distribution of σ(kix + xi)away from uniform, as it does not know the random ki. However, this intuition proves tricky to formalize,especially since S is given unlimited computational power and access to the entire function σ.
Connection to Preprocessing Attacks. To solve this problem, we apply the “bit-fixing” technique fromCoretti, Dodis, and Guo [CDG18]. They consider generic algorithms which are given an additional advicestring, computed beforehand using a computationally unbounded algorithm with access to σ. Conditionedon the advice string, it is no longer accurate to argue σ is a random labeling function. However, they show(roughly) that if we obtain at most P bits of advice about σ, this only leaks useful information about σ onO(P ) points. So for generic security proofs, this allows us to switch to a setting in which σ is a randomlabeling function on all but O(P ) inputs.
We apply these techniques to our setting by re-casting the sampler S outputting x as a computationallyunbounded algorithm outputting x as “advice”. However in our setting, the challenger is the one receivingthe advice instead of the adversary. It turns out that the [CDG18] techniques still apply here, allowing usto argue that σ can be re-sampled on all but polynomially many points. Once we perform this re-sampling,we show that the adversary will not be able to apply group operations to its set of initial group elementsand produce a point that was not re-sampled, except with negligible probability. Once this is established,standard generic group techniques suffice to complete the proof.
Generic Hardness of DDH-II. As a final contribution, we also prove the generic hardness of Canetti’sDDH-II assumption. We remark that previous proofs of DDH-II [BC10, DHZ14] operate in a highly idealizedmodel that assumes the sampler is independent of the labeling function σ. Preventing the sampler fromseeing the labels implicitly relies on the group itself being drawn at random, which in particular leads tocounterexamples when dealing with fixed generator assumptions. For example, the Strong Power DDHassumption with fixed generator can be proven in this model even though it is false in the real world.
In the case of DDH-II, one of the elements the adversary receives is σ(a) for low entropy a. We mustshow at a minimum that this does not allow the adversary to recover a (i.e. compute the discrete log), asdistinguishing would then be trivial. Such a claim might not be immediately obvious, especially consideringthat we can distinguish σ(a) from σ(r) for uniform r for certain distributions on a. We observe that anyadversary which succeeds in solving discrete log of σ(a) with noticeable advantage for a well-spread distribu-tion is also an adversary that solves discrete log (with much smaller advantage) for the uniform distribution.However, the resulting advantage exceeds the known generic bounds for discrete log algorithms [Sho97]. Theremainder of our proof makes use of bit-fixing techniques to reduce the problem of distinguishing the DDH-IIinstance to the problem of recovering a given just σ(a).
2 Preliminaries
For n ∈ N, let [n] denote the set 1, . . . , n. We specify formal variables by bold letters x. For a function f ,let im(f) denote the image of f .
Throughout, we let λ ∈ N be the security parameter. We use the usual Landau notations. A functionf(λ) is said to be negligible if it is λ−ω(1) and we denote it by f(λ) := negl(λ). A function f(λ) is said tohave polynomial growth rate if it is λO(1) and we denote it by f(λ) := poly(λ). A probability p(λ) is said to
10
be overwhelming if it is 1− λ−ω(1). We refer to A as PPT if it is a probabilistic polynomial time algorithm.If A has access to an oracle O, we write AO.
The statistical distance between two distributions D1 and D2 over a countable support S is defined tobe ∆(D1, D2) := 1
2
∑x∈S |D1(x)−D2(x)|. Let γ > 0. We say that two distributions D1 and D2 are γ-close
if ∆(D1, D2) ≤ γ. We let x← D denote drawing x from the distribution D. When X is a set, then x← Xdenotes drawing x uniformly at random from the set X. The following definition regarding infinite familiesof distributions will be used throughout.
Definition 1 (Well-Spread Distribution Ensemble). An ensemble of distributions Dλλ over domainsXλλ is well-spread if for all large enough λ ∈ N,
H∞(Dλ) = − minx∈Xλ
log2 Pr[x← Dλ] = ω(log(λ)).
2.1 Generic Group Model
Definition 2 (Generic Group Model (GGM) [Nec94, Sho97]). An application in the generic group model isdefined as an interaction between a T -attacker A and a challenger C. For a cyclic group of order N withfixed generator g, a random injective function σ : [N ]→ [M ] is sampled, mapping group exponents in ZN toa set of labels L. Label σ(x) for x ∈ ZN corresponds to the group element gx.C initializes A with some set of labels σ(xi)i. It then implements the group operation oracle OG(·, ·),
which on inputs σ1, σ2 ∈ [M ] does the following:
• If either of σ1 or σ2 is not in L, return ⊥.
• Otherwise, set x = σ−1(σ1) and y = σ−1(σ2), compute x+ y ∈ ZN , and return σ(x+ y).
A is allowed at most T queries to the oracle, after which C outputs a bit indicating whether A was successful.We refer to the probability that this bit is 1 as SuccC(A).
Remark 2. It will often be convenient to represent each query to OG as a linear polynomial over the initialset of elements xii given to A.
For an indistinguishability application, we define the advantage of attackerA as AdvC(A) = 2|SuccC(A)−1/2|.For an unpredictability application, the advantage is defined as AdvC(A) = SuccC(A). An application withassociated challenger C is (T, ε)-secure in the GGM is for every T -attacker A, AdvC(A) ≤ ε.
Definition 3 (Auxiliary-Input Generic Group Model (AI-GGM)). We now consider (S, T )-attackers A =(A1,A2). First σ : [N ]→ [M ] is sampled. A1 receives σ as input and outputs an S-bit string aux. Then thechallenger C operates as before, modeling interaction between A2 and OG(·, ·). Now A2 receives aux as inputand is allowed T queries to the oracle. Success, advantage, and security are defined analogously.
Definition 4 (Bit-Fixing Generic Group Model (BF-GGM)). We now consider (S, T, P )-attackers A =(A1,A2). First σ : [N ] → [M ] is sampled. A1 receives σ as input and outputs an S-bit string aux alongwith a set P ⊆ ZN of size P . Then σ is uniformly re-sampled on all but the points P (conditioned onmaintaining the same image), producing the injection σ′. We let im(P) refer to the images under σ and σ′
of the points in P. Then the challenger C operates as before, modeling interaction between A2 and OG(·, ·),where OG(·, ·) uses σ′ to answer queries. A2 receives aux as input and is allowed T queries to the oracle.Success, advantage, and security are defined analogously.
Theorem 1 ([CDG18]). Let N,M,P ∈ N, N ≥ 16, and γ > 0. If an unpredictability application withchallenger C that initializes A with T ′ group elements is ((S, T, P ), ε′)-secure in the BF-GGM for
P ≥ 18(S + log(γ−1))(T + T ′),
then it is ((S, T, P ), ε)-secure in the AI-GGM for ε ≤ 2ε′ + γ.
11
3 Generic Separations Between Fixed and Random Generator As-sumptions
In this section, we explore the relationship between fixed generator and random generator assumptions, inparticular looking at settings and assumptions where the fixed generator and random generator versionsare plausibly inequivalent. As we then show, groups where f-DDH is easy but r-DDH is hard (split-DDHgroups), or groups where f-CDH is easy but r-CDH is hard (split-CDH groups), can be used to build powerfulcryptographic applications. On the other hand, we also show that a large class of setupless NIKE protocolsare not secure in split-CDH groups.
We now formalize the six problems that we consider in this section. We assume a group generationalgorithm (Gλ, g,N)← GroupGen(1λ) where λ is the security parameter and Gλ is the description of a cyclicgroup with generator g and order N . All the assumptions below are relative to a fixed 15 output of the groupgeneration algorithm on input the security parameter λ.
• r-DLog: Given (gr, grx) compute x, where r ← Z∗N , x← ZN
• f-DLog: Given (gx) compute x, where x← ZN
• r-CDH: Given (gr, grx, gry) compute grxy, where r ← Z∗N , x, y ← ZN
• f-CDH: Given (gx, gy) compute gxy, where x, y ← ZN
• r-DDH: Given (gr, grx, gry, gbrxy+(1−b)z) determine b, where r ← Z∗N , x, y, z ← ZN , b← 0, 1
• f-DDH: Given (gx, gy, gbxy+(1−b)z) determine b, where x, y, z ← ZN , b← 0, 1
We use the generic group model to explore the relationships among the above problems, and operate inthree different settings. First is the usual setting, described in the preliminaries, where we implicitly assumethe order of the group and its factorization is known. Then we model the setting where the order of thegroup is known but the factorization is not explicitly given. We call this the Unknown Factorization GenericGroup Model (UF-GGM) (previously considered in [AJR08, AM09]). Note that in this setting, an advantagebound AdvC(A) is only meaningful for PPT adversaries A since otherwise we can assume A factors the grouporder and we are back in the usual setting. Contrast this with the usual generic group setting where thecomputational complexity of A is arbitrary and we only have a bound on the number of group operationqueries to the oracle.
Finally, we model a third setting where the order of the group itself is unknown, called the UnknownOrder Generic Group Model (UO-GGM) (first described in [DK02]). We adopt the convention consideredin [YYHK18] for generic rings of unknown order, where the order is drawn at random from all primes withbit length at most λ. We augment this model with an explicit group inverse oracle that on input σ(x) returnsσ(−x). Note that when the group order is known, this operation can be done with logarithmic queries tothe group operation oracle, so this is usually not explicitly given in that setting.
We will also consider augmenting these generic group models with additional oracles beyond the groupoperation/inverse oracles. More specifically, we consider an f-DDH oracle OfDDH(·, ·, ·) that on inputσ(x), σ(y), σ(z) returns 1 if xy = z and 0 otherwise, and an f-CDH oracle OfCDH(·, ·) that on input σ(x), σ(y)returns σ(xy). Now when we give an adversary T oracle queries, we mean combined queries between alloracles it has access to.
In the following proofs, we always assume that for group order N ∈ [2λ−1, 2λ], the smallest primedividing N has bit length ω(log(λ)). This is required to prevent trivial attacks, and is useful when arguingthat polynomials modulo N will vanish with low probability over random inputs. We cannot apply Schwartz-Zippel right away since ZN is not necessarily a field, and instead apply the following lemma.
15Random generator assumptions can be formulated with respect to a randomized generator h output by GroupGen. Here weassume a fixed generator g and randomize it as part of the game itself, letting h = gr.
12
Lemma 1. Let N ∈ [2λ−1, 2λ] be such that the bit length of its largest prime divisor is ω(log(λ)). LetQ(x1, . . . , xm) be a polynomial of total degree n = poly(λ). Then Pr[Q(r1, . . . , rm) = 0 mod N ] = negl(λ),where each ri is drawn uniformly and independently from either ZN or Z∗N .
Proof. Let p be a prime and k an integer such that pk | N but pk+1 - N . By assumption, we know thatp = ω(poly(λ)) and k = poly(λ). Any ri drawn uniformly from ZN when taken mod pk is uniform from Zpk ,and by the Chinese Remainder Theorem, any ri drawn uniformly from Z∗N when taken mod pk is uniformfrom Zpk \ pZ. Both of these domains have size ω(poly(λ)), thus we can apply Schwartz-Zippel to show thatPr[Q(r1, . . . , rn) = 0 mod pk] = negl(λ). This immediately gives the result.
3.1 DDH Separations
The following theorem establishes the inequivalence of the f-DDH and r-DDH problems in all three settingswe consider. In particular, it gives heuristic evidence that a group might exist where f-DDH is easy (in fact,can be solved with probability 1) but r-DDH is hard.
Theorem 2. r-DDH is (T, ε)-secure in the GGM (or UF-GGM or UO-GGM) augmented with an f-DDHoracle, for group order N ∈ [2λ−1, 2λ], T = poly(λ), and ε = negl(λ).
Proof. It suffices to give the proof in the regular GGM, since applications can only become harder in theUF-GGM and UO-GGM. In the r-DDH game, the challenger C is initialized with a labeling σ whereL := im(σ) and chooses r ← Z∗N , x, y, z ← ZN , and b ← 0, 1. The adversary A is initialized with(σ(1), σ(r), σ(rx), σ(ry), σ((1 − b)rxy + bz)). It interacts with the generic group oracle OG and the f-DDHoracle OfDDH , outputs a bit b′, and wins if b′ = b.
Let T ′ be the number of OG queries made by A and T ′′ the number of OfDDH queries. We representthe set of queries made to OG as the set of linear polynomials
a(t)1 r + a
(t)2 rx+ a
(t)3 ry + a
(t)4 ((1− b)rxy + bz) + a
(t)5 t∈[T ′],
and the set of queries made to OfDDH as
b(t)1 r + b(t)2 rx+ b
(t)3 ry + b
(t)4 ((1− b)rxy + bz) + b
(t)5 ,
c(t)1 r + c
(t)2 rx+ c
(t)3 ry + c
(t)4 ((1− b)rxy + bz) + c
(t)5 ,
d(t)1 r + d
(t)2 rx+ d
(t)3 ry + d
(t)4 ((1− b)rxy + bz) + d
(t)5 t∈[T ′′].
First we switch to a hybrid game where r, x, y, z are left as formal variables by the challenger. The challengermaintains a table mapping polynomials in ZN [r,x,y, z] to labels in L, picking a new uniformly random labelamong those unused so far each time A queries OG with a new polynomial. When A queries OfDDH withthree linear polynomials `b, `c, `d, it responds with 0 if and only if `b`c − `d is identically zero over r,x,y, z.At the end of the game, the challenger draws the values of r, x, y and z from the appropriate distributions.
Now there are two ways in which A can distinguish this from the original game. First, it could queryOG on two separate polynomials that are not the same in ZN [r,x,y, z], but evaluate to the same elementonce r, x, y, z are plugged in. Second, it could query OfDDH on `b, `c, `d where `b`c − `d is not identicallyzero, but evaluates to zero when r, x, y, z are plugged in. All of these events can be represented by somenon-constant polynomial of total degree at most 6 evaluating to zero over the randomness of r, x, y, z. ByLemma 1, the probability that any one of them evaluates to zero is negl(λ). Then a union bound over theO(T 2) polynomials shows that A can notice this change with negl(λ) probability.
Now we argue that any adversary A has advantage 0 in this hybrid game. Regardless of the value of b,the four initial handles received by A are distinct monomials of the formal variables r,x,y, z. Thus any setof distinct linear combinations of them will be distinct polynomials over ZN [r,x,y, z], and the answers fromOG will be identically distributed. Thus if A distinguishes, it must do so via a OfDDH query. If b = 0, then
13
any query to OfDDH returns 0 if and only if
(b1r + b2rx + b3ry + b4rxy + b5)(c1r + c2rx + c3ry + c4rxy + c5)
−(d1r + d2rx + d3ry + d4rxy + d5) ≡ 0 mod N.
If b = 1, then any query to OfDDH returns 0 if and only if
(b1r + b2rx + b3ry + b4z + b5)(c1r + c2rx + c3ry + c4z + c5)
−(d1r + d2rx + d3ry + d4z + d5) ≡ 0 mod N.
It is clear that if the b = 1 equation is identically zero, then the b = 0 equation is also. Therefore, A canonly distinguish if it finds a query such that the b = 0 equation is identically zero but the b = 1 equation isnot. By expanding the left hand side of each, we see that the only difference lies in the following monomials(all others being distinct monomials over r,x,y,z with the same coefficient regardless of b):
b = 0 : (b1c4 + b4c1 + b2c3 + b3c2)r2xy
b = 1 : (b1c4 + b4c1)rz + (b2c3 + b3c2)r2xy.
Thus we need a setting of coefficients such that the b = 0 equation is identically zero but
b1c4 + b4c1 6≡ 0 mod N or b2c3 + b3c2 6≡ 0 mod N.
First, since the b = 0 equation is identically zero, we know that
b1c4 + b4c1 ≡ −(b2c3 + b3c2) mod N. (1)
Next, since b1c4 + b4c1 6≡ 0 mod N , let p be a prime such that p | N but p - b1c4 + b4c1. Then eitherp - b1c4 or p - b4c1 so assume the former (the other case is symmetric). Thus p - b1. Also, since the b = 0equation is identically zero, we must have that the coefficients on r2, r2x, and r2y are 0 mod N , so
b1c1 ≡ 0 mod N,
b1c2 + b2c1 ≡ 0 mod N,
b1c3 + b3c1 ≡ 0 mod N.
Since p | N and p is prime, the first equation above shows that p | c1. Combining with the second equationshows that p | c2 and combining with the third equation shows that p | c3. Thus, p divides the RHS ofEquation 1 which is a contradiction since we started with the assumption that p does not divide the LHS.
3.2 Split-DDH Groups
The previous section demonstrates the feasibility of split-DDH groups. Now we show that such groups canbe used to build identity based encryption. Let G be a split-DDH group with fixed generator g and order N .Let ID be a space of IDs and let H be a random oracle mapping IDs to group exponents in ZN . We assumethe existence of an f-DDH oracle O(·, ·, ·) that is correct on any fixed instance with overwhelming probability.This follows from the the fact the f-DDH is easy in split-DDH groups and folklore random self-reduction andself-correction algorithms for DDH. See [BF01] for definitions of IBE and related security notions.
• KeyGen : Choose s← Z∗N and let msk = s and mpk = gs.
• Extract : On input id ∈ 0, 1∗, let tid = H(id), skid = gtids, and pkid = gtid .
• Encrypt : On inputm, id ∈ 0, 1∗, choose ri, ui ← ZN for i ∈ [|m|] and output mpkri , pkr−1i mi+ui(1−mi)
id i∈[|m|].
14
• Decrypt : On input an encryption ci, dii and id, output O(ci, di, skid)i.
For correctness, note that if mi = 0, we can write the ith input to O as (gsri , gtidu, gtids) where s, u, ri areuniformly random and independent. This is a valid f-DDH instance with negligibly probability. However,
when b = 1, we can write the inputs as (gsri , gtidr−1i , gtids) which is a valid f-DDH instance. Now we argue
security.
Lemma 2. If H is a random oracle, the above scheme is semantically secure under adaptive identity attacks.
Proof. We prove security in the case where A’s challenge messages are one bit long. In other words, Adoesn’t pick two messages, rather, the challenger encrypts a uniformly random bit b. This easily extends tolonger messages via a standard hybrid argument.
Assume the existence of a PPT adversary A that makes n = poly(λ) random oracle queries and winsthe adaptive identity attack game with ε = 1/poly(λ) probability. Following the proof of Boneh-Franklinsecurity, we show a reduction B that solves r-DDH in G with 1/poly(λ) probability. We reformulate the
r-DDH game to be, given gx, gy, gz, gbx−1yz+(1−b)u, determine b. First, B chooses an i ← [n]. We condition
on A’s challenge identity id∗ corresponding to its i’th random oracle query, which occurs with probability1/n. We implicitly set the msk s equal to z and H(id∗) = tid∗ = y. B initializes A with gz. On A’s jthidentity query idj for j 6= i, B will choose a uniformly random tidj ← ZN , return gtidj , and store the mapping(idj , tidj ). On A’s ith identity query id∗, B returns gy.
Now A’s challenge can be answered as follows. Implicitly setting sr = x, B returns (gx, gbx−1yz+(1−b)u).
Note that gx−1yz = gs
−1r−1tid∗s = pkr−1
id∗ , so this is a valid encryption of the bit b chosen by the r-DDHchallenger. Thus B’s advantage in determining this bit is exactly A’s advantage in determining the bitencrypted. So overall, we have that B succeeds in the r-DDH game with probability ε/n = 1/poly(λ), acontradiction.
3.3 CDH Separations
Next, we study the relationship between f-CDH and r-CDH. In the usual setting where the totient of thegroup order is known, we refer to [Gal12] Chapter 21, which contains a proof of the polynomial equivalence ofthese two assumptions. However, as observed previously (for example in [SS06]), the reduction from r-CDHto f-CDH seems to require the ability to compute multiplicative inverses of unknown exponents. In a groupwhere the totient of the group order N is known, this is easy to do by raising to the power of φ(N) − 1.Otherwise, it seems that the reduction cannot go through. We give heuristic evidence that this is indeedthe case, by observing that results about the generic ring model from [YYHK18] can be re-cast to give aseparation between the two assumptions in the UO-GGM (under a variant of the factoring assumption) andgiving our own separation in the UF-GGM (under a new but plausible computational assumption).
We assume throughout this section that adversaries in the UF-GGM and UO-GGM can generate uni-formly random elements mod the group order. This is not exactly true, but since the group order N isknown to be bounded above by 2λ, the adversary can pick an integer k such that k mod N is 1/2λ-close touniform by picking k uniformly from Z23λ .
We first confirm that r-CDH is random self-reducible in a group of unknown order. This requires showinga reduction that does not require taking multiplicative inverses mod the group order.
Lemma 3. Consider a group G of order N ∈ [2λ−1, 2λ]. An adversary A that does not know N and solves auniformly random r-CDH instance in G with probability ε = 1/poly(λ) implies the existence of an adversaryB that does not know N and solves any fixed r-CDH instance in G with probability ε.
Proof. First observe that the r-CDH problem described above is equivalent to the following: given (gx, gy, gz),
compute gx−1yz where x← Z∗N , y, z ← ZN , and inverses in the exponent are taken in Z∗N .
Now let (gx, gy, gz) be the fixed r-CDH instance for which we want to compute gx−1yz. Choose uniform
t, s, u mod the group order and compute
(gxu, g(y+xt)u, gz+xs).
15
Note that gxu, gxt and gxs are uniformly random and independent group elements, so this is a uniformlyrandom r-CDH triple. Solving, we get
g(xu)−1(y+xt)u(z+xs) = gx−1(xy+xys+xzt+x2st) = gx
−1yz+ys+zt+xst.
Now, gys, gzt, and gxst can all be calculated from the the original three elements. Then we can take thegroup inverse of each and divide to recover gx
−1yz.
Now we give a formal statement of the unbalanced modulus factoring assumption and then use the resultsof [YYHK18] to give a separation between f-CDH and r-CDH in the UO-GGM under this assumption.
Assumption 1 (Unbalanced Modulus Factoring Assumption [Lip94, YYHK18]). Let Pλ be the set of primeswith bit length at most λ. Then for any PPT A and polynomial poly(·),
Pr[p← A(1λ, pq) | p← Pλ, q ← Ppoly(λ)] = negl(λ)
Theorem 3. r-CDH is (T, ε)-secure in the UO-GGM augmented with an f-CDH oracle, for group orderp← Pλ, T = poly(λ), and ε = negl(λ).16
Proof. As seen above, if an adversary A can solve a random instance r-CDH with an f-CDH oracle OfCDH ,then it can solve r-CDH on any fixed instance. In particular, given (gx, g1, g1) for some fixed prime x,AOfCDH will output g−x with 1/poly(λ) probability. Now, we can simulate the behavior of AOfCDH in theUO-GGM via access to a generic ring model of unknown (prime) order. We simply let the ring be theexponent space of the group, and implement generic group queries with additions and OfCDH queries withmultiplications. This generic ring setting of unknown order is exactly the setting considered by Yamakawaet al. [YYHK18], who show that under Assumption 1, it is hard to compute the inverse of any prime x.
We now turn to separating f-CDH and r-CDH in the setting where the factorization of the group orderis unknown (i.e. in the UF-GGM model).17 We make the following knowledge assumption:
Assumption 2. Let A be a PPT that on input an integer N of Θ(λ) bits, outputs an arithmetic circuitC. Say that with probability ε(λ) over the randomness of A and N , C implements a univariate polynomialf(·) whose coefficients are not all zero modulo N , but satisfies f(x) ≡ 0 mod N for all x ∈ ZN . Then thereexists an “extractor” A which, given the same inputs as A, can factor N with the same probability ε(λ).
Remarks on Assumption 2. Let N = pq. By elementary number theory and the Chinese RemainderTheorem, we can show that all polynomials f(x) satisfying the conditions in Assumption 2 take the formf(x) ≡ (xp − x)r(x) + (xq − x)s(x) mod N for arbitrary (but not both zero) polynomials r(x) and s(x).Intuitively, it seems that the only way A can output an arithmetic circuit C is to “know” at least one of pand q, but we were unable to prove this.
We stress that this is a new and ad-hoc assumption, but that its statement is completely independent ofcryptographic groups. In other words, we can show that the problem of separating f-CDH from r-CDH inthe UO-GGM reduces to validating a knowledge assumption concerning arithmetic circuits and factoring.
Unfortunately we were unable to meaningfully relate the strength of Assumption 2 to other cryptographicassumptions or even to complexity-theoretic statements. In particular, it might be possible to give anunconditional proof that Assumption 2 holds.
Thus our purpose in stating this assumption is to mark partial progress towards proving this separationin the hopes of affirmatively resolving this problem. In the words of Goldwasser and Kalai, this assumptionshould be taken as an open invitation to refute or simplify [GK16].
Theorem 4. Under Assumption 2, r-CDH is (T, ε)-secure in the UF-GGM augmented with an f-CDH oracle,for group order N ∈ [2λ−1, 2λ], T = poly(λ), and ε = negl(λ).
16We thank Takashi Yamakawa for pointing out an error in an earlier version of this proof.17We note that the existence of such a separation was essentially conjectured by Saxena and Soh [SS06], but that they do
not give any evidence to support the conjecture.
16
Proof. We refer to [Gal12][21.3] for a proof that r-CDH is random self-correctable, meaning an algorithmthat has 1/poly(λ) success probability on a random r-CDH instance can be boosted to one with 1− negl(λ)success probability on a random instance. We note this self-correction algorithm works even if the grouporder is unknown, as it does not require inverses in the exponent.
Then Lemma 3 and the result from [Gal12] can be combined to show that a generic adversary A with non-negligible advantage in the r-CDH game, given an f-CDH oracle, can be boosted to one that has overwhelmingsuccess probability on any fixed r-CDH instance. Thus we can assume that any A contradicting the theoremstatement actually succeeds on an overwhelming fraction of inputs (σ(x), σ(1), σ(1)). Now we describe areduction B that contradicts Assumption 2. On input N , B will let x be a formal variable, and simulatethe generic group and f-CDH oracles over ZN [x], drawing the labeling function σ on the fly. It initializes Awith (σ(x), σ(1), σ(1)) and maintains a table mapping polynomials in ZN [x] to labels. When A returns alabel, B finds which polynomial P over x it corresponds to (represented as a polynomial size circuit). Weare guaranteed that P (x) = x−1 mod N with overwhelming probability over the choice of x. So Q(x) :=xP (x) − 1 is zero on an overwhelming fraction 1 − ε(λ) of inputs x ∈ ZN . B will choose λ elements riuniformly at random from ZN and form the polynomial Q′(x) = Q(x+r1) . . . Q(x+rλ). For any fixed x, theprobability that Q′(x) 6= 0 is at most ε(λ)λ. So by a union bound, the probability that Q′ is not identicallyzero is at most Nε(λ)λ ≤ (2ε(λ))λ = negl(λ).
3.4 Split-CDH Groups
The previous section demonstrates the feasibility of split-CDH groups. Observe that split-CDH groups arevery similar to self-bilinear maps [YYHK14] (i.e. symmetric bilinear maps where the target group is thesame as the source group) which in turn are sufficient for instantiating multilinear maps [BS02], since theyallow for taking repeated products in the exponent. Consider the following random generator version of theMultilinear Computational Diffie Hellman problem:
Definition 5 (r-MCDH). Fix a group description G with generator g and order N . Given (gr, grx0 , . . . , grxn)compute gr
n∏ni=0 xi , where r, xi ← ZN
This assumption is quite powerful; for example it has been shown to imply multiparty non-interactivekey exchange with trusted setup [BS02] and distributed broadcast encryption [YYHK14]. We now show thatthe r-MCDH problem is hard in any split-CDH group.
Lemma 4. No PPT adversary A can solve r-MCDH with 1/poly(λ) probability in a split-CDH group withorder N of bit length Θ(λ).
Proof. Say there exists an adversary A such that given (gr, grx0 , . . . , grx0) and an f-CDH oracle, computesgrn∏n
i=0 xi with 1/poly(λ) probability. Define the reduction B attacking r-CDH, which receives ga, gb, gc asinput. It picks z2, . . . , zn uniformly at random, letting s :=
∏ni=2 zi. Give (gas, gb, gc, gz2 , . . . , gzn) as input
to A. We are implicitly setting r = as, x0 = a−1s−1b, x1 = a−1s−1c, x2 = a−1s−1z2, . . . , xn = a−1s−1zn.Then rn
∏ni=0 xi = ansna−(n+1)s−(n+1)bcs = a−1bc, so if A is successful in breaking r-MCDH, it returns the
solution to B’s r-CDH instance.
3.5 Discrete Log
To conclude, we observe that unlike DDH and CDH, the fixed and random generator versions of discretelog are polynomially equivalent in the three settings we consider. The random generator variant is clearlyat least as hard as the fixed generator variant, so we just give the following reduction, which we believe islikely folklore.
Lemma 5. If r-Dlog is (T = poly(λ), ε = negl(λ))-secure in the GGM (or UF-GGM or UO-GGM) withgroup order N ∈ [2λ−1, 2λ], then f-Dlog is(poly(λ), negl(λ))-secure.
17
Proof. Assume the existence of an adversary A with T = poly(λ) queries that solves f-Dlog with 1/poly(λ)probability. We first show that in the UO-GGM, there exists a reduction B with poly(λ) queries which usesA to determine the group order. B will repeatedly pick random integers t such that t mod N is negligiblyclose to uniformly random, and query A on each t. If A is successful, it returns t′ ≡ t mod N . In this caseN | t− t′, and this can be tested by querying the generic group oracle on two integers t− t′ apart and seeingif the same handle is returned. By repeating a poly(λ) number of times, eventually A will be successful andB will recover a random multiple of N . This can be repeated to obtain many multiples of N and B finishesby taking the GCD.
Thus we can assume to be in the UF-GGM or regular GGM. Now we describe a reduction C which usesA to solve r-Dlog. On input σ(x), σ(xy), C will query A on both. A is successful on both with 1/poly(λ)and in this case C recovers x and xy in the clear. Now since N is known, C can calculate x−1 mod N via theExtended Euclidean algorithm and multiply the result with xy to recover y.
4 A Black Box Separation Between Random-Generator CDH andNIKE
We show a limit to the power of split-CDH groups. As discussed in the introduction, the r-CDH assumptioncan suffice for setupless Diffie-Hellman key exchange in groups where the factorization of the order is known(when r-CDH and f-CDH are equivalent).
4.1 Our Techniques
In the classic Diffie-Hellman scheme, Alice draws a random a and sends ga, Bob draws a random b and sendsgb, and the two agree on gab. We show that in certain split-CDH groups, a large class of protocols that general-ize this idea cannot be secure. In particular, we will allow Alice to draw a vector of n = poly(λ) random values
~x = (x1, . . . , xn), compute m different multivariate polynomials ~R(~x) = (R1(x1, . . . , xn), . . . , Rm(x1, . . . , xn))
over these values, and send g~R(~x) as her message (interpreted as the m group elements obtained by raising
g to each component of ~R(~x)). Bob does the same, sending the message g~R(~y).
To agree on a group element, Alice and Bob compute gP (~R(~x),~y) = gP (~R(~y),~x) for some polynomial P .Ideally, security is argued the same way as in standard Diffie-Hellman. We want to show that there existsa polynomial P so that Alice and Bob can agree on a group element, and that this group element looks
random to an adversary who only sees g~R(~x) and g
~R(~y).To prove the insufficiency of r-CDH alone, we first prove Lemma 6. This is a purely mathematical claim
that whenever P and ~R satisfy P (~R(~x), ~y) = P (~R(~y), ~x), there in fact exists another polynomial Q such that
Q(~R(~x), ~R(~y)) = P (~R(~x), ~y) = P (~R(~y), ~x). If an adversary can break f-CDH with overwhelming advantage18,an adversary can break security by simply computing Q in the exponent.
This of course requires Q to be efficiently computable, which places a number of restrictions on theparameters this separation applies to. We also remark that the following separation only holds in split-CDHgroups in which the adversary can calculate multiplicative inverses of constants mod the group order. Thisis not a generic feature of split-CDH groups, but holds for example in split-CDH groups of known order butunknown factorization. The reason for this restriction is that we must represent the coefficients of the Ri, P ,and Q polynomials below as rational numbers.
4.2 Separating r-CDH and setupless NIKE
We first define the generalized Diffie-Hellman protocols we consider, which we call “polynomial-based” non-interactive key exchange.
18This can be achieved by applying self-correction to an algorithm breaking f-CDH with any non-negligible advantage, seee.g. [Gal12] Section 21.3
18
Definition 6. Polynomial-based non-interactive key exchange (NIKE) with parameters (n,m, d) is a non-interactive key exchange protocol taking the following form:
• Fix a group G with order p and associated generator g, a vector of n-variate polynomials ~R =(R1, . . . , Rm) and an m+ n-variate polynomial P such that
P (~R(~x), ~y) ≡ P (~R(~y), ~x) mod N
where ~x and ~y are each vectors of n formal variables and the total degree of P over ~x and ~y is d.
• Alice chooses x1, . . . , xn ← Zp and publishes g~R(x1,...,xn).
• Bob chooses y1, . . . , yn ← Zp and publishes g~R(y1,...,yn).
• Alice uses the f-CDH oracle to compute k = P (~R(y1, . . . , yn), x1, . . . , xn) in the exponent and Bob usesthe f-CDH oracle to computek = P (~R(x1, . . . , xn), y1, . . . , yn) in the exponent, and gk is the shared secret.
This class of NIKE schemes includes basic Diffie-Hellman, as well as natural extensions that would takeadvantage of the extra functionality given by an f-CDH oracle.
Theorem 5. In a split-CDH group of known order, there does not exist secure polynomial-based NIKE with(n = poly(λ),m = poly(λ), d = O(1)) or (n = poly(λ),m = O(1), d = poly(λ)).
Notation. We will use the notation deg~x(P (~x, ~y)) to denote the total degree of a polynomial P over onlythe x1, . . . ,xn formal variables (i.e. treating the y1, . . . ,yn formal variables as part of the “coefficients”),and define deg~y(P (~x, ~y)) analogously. For polynomials over only the ~x variables, we drop the subscript andlet deg(P (~x)) denote the total degree. Similarly, we let coeffs~x(P (~x, ~y)) denote the vector of all coefficientsof P (~x, ~y) when only the x1, . . . ,xn are treated as formal variables (i.e. the coefficients are themselvespolynomials over y1, . . . ,yn), and we define coeffs~y(P (~x, ~y)) analogously; as before, we drop the subscriptwhen only one set ~x or ~y of formal variables are used. We define the maximum number of monomials in ann-variate polynomial of total degree d to be kn,d :=
∑di=0
(i+n−1n−1
).
Proof. Lemma 6 below, applied with P1 = P2, shows that for any such scheme, there exists a fixed polynomialQ over the exponents of the public group elements that evaluates to the exponent of the shared secret key.Furthermore, the number of monomials in Q will be at most k2m,d = poly(λ), so can be efficiently computedwith an f-CDH oracle.
Lemma 6. Let ~x = (x1, . . . ,xn) and ~y = (y1, . . . ,yn) each denote length n vectors of formal variables.
Let ~R denote a length m vector of n-variate polynomials (R1(·), . . . , Rm(·)), let ~R(~x) denote the result ofevaluating (R1(~x), . . . , Rm(~x)).
Suppose there exists two (m+ n)-variate polynomials P1, P2 such that
P1(~R(~x), ~y) ≡ P2(~R(~y), ~x)
as polynomials over formal variables x1, . . . ,xn,y1, . . . ,yn. Let
d = maxdeg~x(P1(~R(~x), ~y)), deg~x(P2(~R(~y), ~x))
deg~y(P1(~R(~x), ~y)), deg~y(P2(~R(~x), ~y)).
Then there exists a 2m-variate polynomial Q of total degree at most 2d such that
Q(~R(~x), ~R(~y)) ≡ P1(~R(~x), ~y)
as polynomials over the same formal variables.
19
Proof. We consider the set of polynomials J(x) that can be represented as A(~R(~x)) for some m-variate
polynomial where deg(A(~R(~x))) ≤ d. Observe that the set of such J(x) form a linear subspace of the set of
all n-variate polynomials over ~x with degree at most d. Let ~v = coeffs(A(~R(~x))) denote the kn,d-dimensional
vector of coefficients of A(~R(~x)) (writing the coefficients according to some fixed ordering on the monomials),where kn,d defined above is the number of monomials over n variables of total degree at most d. Then there
exists some kn,d×kn,d dimensional matrix C(~R) such that C(~R) ·~v = 0 if and only if the polynomial satisfying
coeffs(p(~x)) = ~v is of the form p(~x) = A(~R(~x)) for some m-variate polynomial A(·). In other words, the
set of polynomials A(~R(~x)) form a linear subspace; in particular the subspace is spanned by the coefficientvectors corresponding to
∏mi=1Ri(~x)ai for each choice of ai where
∑i airi ≤ d, ai ≥ 0 where ri denotes
the degree of Ri.We can extend this characterization to describe the set of polynomials J(~x, ~y) which can be written as
A(~R(~x), ~y) for some (m+ n)-variate polynomial A(·) where maxdeg~x(A(~R(~x), ~y)),deg~y(A(~R(~x), ~y)) ≤ d.This follows from viewing J as a polynomial over only the x1, . . . ,xn formal variables, so that the coefficientsare now themselves polynomials over the y1, . . . ,yn formal variables. In other words, if coeffs~x(J(~x, ~y))denotes the coefficients of J(~x, ~y) when viewed as a polynomial over the x1, . . . ,xn formal variables, then
J(~x, ~y) can be written in the form A(~R(~x), ~y) if and only if C(~R) · ~v(~y) = 0.Observe that ~v(~y) can be written in the form V ·powers(~y, d) where V is a kn,d×kn,d dimensional matrix
consisting of the coefficients of J(~x, ~y) (taking the coefficients to be field elements, not polynomials) whoserows are indexed by monomials on the ~x variables and columns are indexed by monomials on the ~y variables,and powers(~y, d) denotes the kn,d-dimensional vector of all monomials of degree at most d over the y1, . . . ,ynformal variables.
Then the following three statements are equivalent:
• J(~x, ~y) can be written as A(~R(~x, ~y)) for some (m+ n)-variate polynomial A.
• C(~R) · ~v(~y) ≡ 0kn,d .
• C(~R) · V = 0kn,d×kn,d .
The equivalence between the last two statements follows immediately from the fact that C(~R) · ~v(~y) ≡ 0kn,d
holds if and only if this vector of kn,d formal polynomials is a vector of kn,d identically zero polynomials,which holds if and only if all the coefficients of these formal polynomial equal 0; the coefficients of the
polynomial in the ith entry of C(~R) · ~v(~y) are precisely the ith row of V .We can apply a symmetric argument to say that the same polynomial J(~x, ~y) can also be written in
the form A′(~R(~y), ~x) for some m-variate A′(·) if and only if C(~R) · V > = 0kn,d×kn,d . This means that if a
polynomial J(~x, ~y) can be written as both A(~R(~x), ~y)) for some A(·) as well as A′(~R(~y), ~x), for some A′(·),then its coefficient matrix V satisfies
C(~R) · V = C(~R) · V > = 0kn,d×kn,d .
The possible matrices V satisfying the above are spanned by rank 1 matrices ~wi·~w>i where C(~R)·~wi = 0kn,d .For any ~wi · ~w>i satisfying
C(~R) · ~wi · ~w>i = C(~R) · ~wi · ~w>i = 0kn,d×kn,d ,
we note that the corresponding polynomial Wi(~x, ~y) satisfying ~wi · ~w>i =coeffs(Wi(~x, ~y)) factors as Wi(~x, ~y) = W ′i (~x) ·W ′i (~y) where ~wi = coeffs(W ′i (~x)) = coeffs(W ′i (~y)), and fur-
thermore that W ′i (~x) has the form Ai(~R(~x)) for some m-variate polynomial Ai. We can therefore write
Wi(~x, ~y) = Ai(~R(~x)) ·Ai(~R(~y)).
Since any valid J(~x, ~y) is a linear combination of such Wi(~x, ~y), it follows that J(~x, ~y) = Q(~R(~x), ~R(~y))for some polynomial Q. Note that the total degree of each Wi is at most d, so the total degree of the resultingQ is at most 2d.
20
5 Lower Bounds for Random Generator Discrete Log and CDH
We proceed to give tight lower bounds (up to logarithmic factors) for r-DLog and r-CDH in the AI-GGM,making use of the following special case of a lemma due to Yun [Yun15].
Lemma 7 (Search-by-Hyperplane-Queries [Yun15] (SHQ)). Consider drawing z1, z2 uniformly at randomfrom ZN , and allowing an adversary A hyperplane queries of the form (a1, a2, b) where 1 is returned ifa1z1 + a2z2 = b and 0 otherwise. Then the probability that A outputs (z1, z2) after q hyperplane queries isat most q2/N2.
Theorem 6. The r-Dlog problem is ((S, T ), ε)-secure in the AI-GGM for any prime N ≥ 16 and
ε = O
(T 2
N+
(ST 2
N
)2).
Proof. In the r-Dlog game, the challenger C draws x← Z∗N , y ← ZN and initializesA with (σ(1), σ(x), σ(xy)).A is successful if it outputs y after at most T generic group queries. We show that r-Dlog is(
(S, T ), O(T 2
N + T 2P 2+T 3PN2
))-secure in the BF-GGM. Then we can apply Theorem 1 with γ = 1/N to get
the result, noting that T ′ = 3 and log(1/γ) = log(N), so P = O(ST ).
A := A2 takes as input the advice string aux generated by A1, makes T adaptive queries c(t)1 σ(x) +
c(t)2 σ(xy)+ c
(t)3 σ(1)t∈[T ] to the generic group oracle and receives σ(c
(t)1 x+ c
(t)2 xy+ c
(t)3 )t∈[T ] in return. Let
E be the event that there exists an a ∈ P and t ∈ [T ] such that c(t)1 x+ c
(t)2 xy + c
(t)3 = a and c
(j)3 6= a. Then
Prσ,x,y
[y ← AOG(aux)] ≤ Prσ,x,y
[y ← AOG(aux) | E] + Prσ,x,y
[y ← AOG(aux) | ¬E].
We begin by analyzing the first probability in the sum. Condition on a particular image L of σ and aparticular set of fixed points P. The following holds for any such choice. We set up a reduction B whichplays the SHQ game defined above and perfectly simulates the generic group game for A. B has access toL,P, im(P), and hyperplane query access to uniform values z1, z2 in ZN which we implicitly set to be x, xy.We assume that z1 6= 0, which happens except with probability 1/N . B operates as follows.
• Maintain a table mapping linear polynomials in ZN [z1, z2] to L. For each a ∈ P, record the pair(a, σ(a)).
• Query the SHQ oracle on hyperplane (1, 0, a) for each a ∈ P. If any query returns 1, record the pair(z1, σ(a)), otherwise choose a uniform value r from all unused values in L \ im(P) and record (z1, r).Do the same for z2. Next, store 1 along with its image. If 1 ∈ P this is already done. If not, query(1, 0, 1) to determine if z1 = 1 and if so store 1 along with the image of z1. Do the same for z2.Otherwise, draw a uniform value r from all unused values in L \ im(P) and record (1, r). Initialize Awith the images of 1, z1, and z2.
• When A submits a query c1z1 + c2z2 + c3, subtract each previously stored polynomial Q(z1, z2),resulting in some polynomial k1z1 +k2z2 +k3. Query the SHQ oracle on (k1, k2,−k3). If 1 is returned,let s be the element stored along with Q(z1, z2), record (c1z1 + c2z2 + c3, s), and return s to A.Otherwise, choose a uniform value r from all unused values in L \ im(P), record (c1z1 + c2z2 + c3, r)and return r.
• If E occurs, B will see a 1 returned by the SHQ oracle on a hyperplane query (k1, k2, k3) for k3 6= 0,meaning at least one of k1, k2 6= 0. Record this tuple. At the end of the interaction, A will return ay ∈ ZN . Now B outputs (k3(k1 + k2y)−1, y).
Setting z1 = x and z2 = xy, it is clear that B perfectly simulates the r-Dlog game for A. If E occurs,we know that k3 = k1x + k2xy = x(k1 + k2y), and k3 6= 0, so k1 + k2y 6= 0. Thus if A is successful and
21
returns y, B successfully computes x = k3(k1 + k2y)−1. Applying Lemma 7, and noting that B makes lessthan 2(P + 1) + T (P + T ) = O(TP + T 2) queries, we get that
Prσ,x,y
[y ← AOG(aux) | E] = O
(T 2P 2 + T 3P + T 4
N2
).
To analyze the second probability, we move to a hybrid game in the BF-GGM where x and y are setto be formal variables x and y at the beginning of the game. The challenger implements group operationsover ZN [x,y], initializing its table with the points in (a, σ(a)) for all a ∈ P. Every time A queries for a newpolynomial, C chooses a uniform element in L \ im(P) among those unused so far. When A outputs a guessfor y at the end of the game, the true value is chosen uniformly at random, so A wins with probability 1/N .Given that E does not occur, A’s probability of distinguishing these two games is bounded by the probabilitythat in the original game, two of its T queries are different polynomials over x and y but evaluate to the
same element, or there exists some query c(j)1 x + c
(j)2 xy + c
(j)3 such that c
(j)1 x+ c
(j)2 xy = 0 and at least one
of c(j)1 , c
(j)2 6= 0. So there are O(T 2) possible equations that could be satisfied and by Schwartz-Zippel, each
occurs with probability O(1/N) over the random choice of x and y. Thus by a union bound, A’s probabilityof distinguishing is O(T 2/N).
Combining, we have that A’s probability of success is
O
(T 2P 2 + T 3P + T 4
N2
)+O
(T 2
N
)+O
(1
N
)= O
(T 2
N+T 2P 2 + T 3P
N2
).
.
Theorem 7. The r-CDH problem is ((S, T ), ε)-secure in the AI-GGM for any prime N ≥ 16 and
ε = O
(T 2
N+
(ST 2
N
)2).
Proof. In the r-CDH game, the challenger C draws uniformly random a ← Z∗N , x, y ← ZN and initializesA with σ(1), σ(a), σ(ax), σ(ay). A is successful if it outputs σ(axy) after at most T generic group queries.
We show that r-CDH is(
(S, T ), O(T 2
N + T 2P 2+T 3PN2
))-secure in the BF-GGM and apply Theorem 1 with
γ = 1/N to get the result, noting that T ′ = 4 and log(1/γ) = log(N), so P = O(ST ).
A := A2 takes as input the advice string aux generated by A1, makes T adaptive queries c(t)1 σ(ax) +
c(t)2 σ(ay)+c
(t)3 σ(a)+c
(t)4 σ(1)t∈[T ] to the generic group oracle, and receives σ(c
(t)1 ax+c
(t)2 ay+c
(t)3 a+c
(t)4 )t∈[T ]
in return. We define a number of events:
• E1: there exists a t ∈ [T ] and i ∈ 1, 2, 3, 4 such that c(t)i ∈ x, y.
• E2: there exists a t ∈ [T ], p ∈ P such that c(t)1 ax+ c
(t)2 ay + c
(t)3 a+ c
(t)4 = p with c
(t)1 6= 0 or c
(t)2 6= 0.
• E3: there exists a t ∈ [T ], p ∈ P such that c(t)1 ax+ c
(t)2 ay + c
(t)3 a+ c
(t)4 = p with c
(t)1 , c
(t)2 = 0, c
(t)3 6= 0.
Now we can write
Prσ,a,x,y
[σ(axy)← AOG(aux)] ≤ Prσ,a,x,y
[E1]
+ Prσ,a,x,y
[σ(axy)← AOG(aux) | ¬E1 ∧ E2]
+ Prσ,a,x,y
[σ(axy)← AOG(aux) | ¬(E1 ∨ E2) ∧ E3]
+ Prσ,a,x,y
[σ(axy)← AOG(aux) | ¬(E1 ∨ E2 ∨ E3)].
22
To analyze the first probability in the sum, we set up a simple reduction to r-Dlog in the BF-GGM. Assume
that c(t)i = x in E1, the other case being symmetric. Then B will take as input σ(a), σ(ax), draw y uniformly
at random, and simulate A’s view of the generic group oracle with input σ(1), σ(a), σ(ax), σ(ay). This ispossible since all of A’s queries will be linear in a and ax. Whenever A makes a query c1ax+c2ay+c3a+c4,B will query its own oracle on ciσ(a) for each i ∈ 1, 2, 3, 4. If any queries result in the same handle asσ(ax), B has determined x and will return it. Since E1 occurs, this will eventually happen. The number ofqueries B makes to its oracle is 5 times that of A, meaning we can appeal to the proof of Theorem 6 to saythat
Prσ,a,x,y
[E1] = O
(T 2
N+T 2P 2 + T 3P
N2
).
To analyze the second probability in the sum, we follow the proof of Theorem 6, setting up a reductionB which plays the SHQ game. We only describe the differences. B’s goal will still be to output (z1, z2),except now we let B draw uniform a ← Z∗N at the beginning of the game and implicitly set z1 = ax andz2 = ay. We assume that z1, z2 6= 0 (so also that x, y 6= 0), with a O(1/N) loss in success probability. If Ais successful, B has the following equations at the end of the game (where the second equation comes frommapping σ(axy) back to the polynomial associated with it):
• c(t)1 ax+ c(t)2 ay + c
(t)3 a+ c
(t)4 = p, with c
(t)1 6= 0 or c
(t)2 6= 0.
• k1ax+ k2ay + k3a+ k4 = axy.
There are 3 cases. First let both c(t)1 , c
(t)2 6= 0. Write x = (p − c(t)4 − c
(t)3 a − c(t)2 ay)(c
(t)1 )−1a−1 from the
first equation and plug into the second equation. This results in a quadratic equation over y with non-zero
coefficient −c(t)2 a(c(t)1 )−1 on y2. Solve for y and plug in to the first equation to recover x and thus z1 = ax
and z2 = ay.
Now say that c(t)1 6= 0 but c
(t)2 = 0. Then solve for x = (p−c(t)4 −c
(t)3 a)(c
(t)1 )−1a−1 which can be recovered
in the clear since there is no term involving y and B knows a. Then plug in a and x to the second equation,resulting in a linear polynomial over y with coefficient on y equal to a(k2 − x). Since E1 does not occur (so
k2 6= x), we know this coefficient is non-zero, so B can successfully solve for y. The case where c(t)1 = 0 but
c(t)2 6= 0 is symmetric. Thus by Lemma 7,
Prσ,a,x,y
[σ(axy)← AOG(aux) | ¬E1 ∧ E2] = O
(T 2P 2 + T 3P + T 4
N2
).
To analyze the third probability in the sum, we again set up a reduction B which plays the SHQ game.
This time we implicitly set z1 = a and z2 = ax. Since we have a query such that c(t)3 a+c
(t)4 = p, B determines
the value of a. Then B learns k1as + k2ay + k3a + k4 = axy. The coefficient of ax is k1 − y, and since weknow k1 6= y, this allows B to solve for ax. So again we have
Prσ,a,x,y
[σ(axy)← AOG(aux) | ¬(E1 ∨ E2) ∧ E3] = O
(T 2P 2 + T 3P + T 4
N2
).
Finally, to determine the fourth probability, we can repeat exactly the same analysis from Theorem 6,moving to a hybrid where a, x, and y are formal variables. We again obtain a distinguishing advantage ofO(T 2/N). Combining all probabilities, we get that A’s probability of success is
O
(T 2
N+T 2P 2 + T 3P
N2
).
23
6 Non-Malleable Point Obfuscation
In this section, we construct a non-malleable point obfuscator secure against polynomial mauling attacks,which were first considered by Komargodski and Yogev [KY18a]. We first briefly review relevant definitions.
6.1 Definitions
Denote by Ix the function that returns 1 on input x and 0 otherwise.
Definition 7. (Point Obfuscation) A point obfuscator for a domain Xλλ of inputs is a PPT Obf thattakes as input a point x ∈ Xλ and outputs a circuit such that the following hold.
• Functionality Preservation: For all λ ∈ N, there exists a negligible function µ such that for allx ∈ Xλ,
Pr[Obf(x) ≡ Ix] = 1− µ(λ).
• Virtual Black Box (VBB) Security: For all PPT A and any polynomial function p, there existsa PPT S such that for all x ∈ Xλ and any predicate P : Xλ → 0, 1, and all large enough λ,∣∣Pr[A(Obf(x)) = P (x)]− Pr[SIx(Obf(x)) = P (x))]
∣∣ ≤ 1
p(λ).
We give another property of point obfuscators first considered in [Can97] and re-defined in [BC14].
Definition 8 (Distributional Indistinguishability). Let Xλλ be a family of domains. Then a point obfus-cator Obf for Xλλ satisfies Distributional Indistinguishability if for all PPT A and well-spread ensemblesof distributions Dλλ over Xλλ, there exists a negligble function µ(λ) such that
|Pr[A(Obf(x)) = 1]− Pr[A(Obf(u)) = 1]| = µ(λ),
where x← Dλ and u is drawn from the uniform distribution over Xλ.
[Can97, BC14] show that Distributional Indistiguishability is equivalent to VBB security for point ob-fuscators. Now we give the [KY18a] definition of non-malleability. This definition involves the notion of aVerifier algorithm, which simply checks that the potentially mauled obfuscation is valid.
Definition 9. (Verifier) A PPT V for a point obfuscator Obf for an ensemble of domains Xλλ is called aVerifier if for all λ ∈ N and x ∈ Xλ, it holds that Pr[V(Obf(x)) = 1] = 1, where the probability is taken overthe randomness of V and Obf.
Definition 10. (Non-malleable Point Function Obfuscation) Let Obf be a point function obfuscator for anensemble of domains Xλλ with an associated verifier V. Let Fλλ = f : Xλ → Xλλ be an ensemble offamilies of functions, and let Dλλ be an ensemble of distributions over Xλ. Then Obf is a non-malleablepoint obfuscator for F and D if for any PPT A, there exists a negligible function µ such that for any λ ∈ N,
Pr[V(C) = 1, f ∈ Fλ, C ≡ If(x) | x← Dλ, (C, f)← A(Obf(x))] ≤ µ(λ).
In the following, we rely on the existence of a pseudo-deterministic GroupGen algorithm that may userandomness, but on input the security parameter 1λ outputs a unique description of a group Gλ with aunique generator g and prime order p(λ) ∈ [2λ−1, 2λ]. As discussed in the introduction, this would involvepsuedo-deterministic generation of large primes. This is not provably efficient, but we can rely for example onCramer’s conjecture to argue efficiency. See [GG11] for further discussion on psuedo-deterministic algorithms,including group generator generation.
24
6.2 Assumptions
Assumption 3. Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let Dλ be a family ofwell-spread distributions where the domain of Dλ is Zp(λ). Then for any n = poly(λ), for any PPT A,∣∣∣Pr[A(ki, gkix+xii∈[2,...,n]) = 1]− Pr[A(ki, gkir+r
i
i∈[2,...,n]) = 1]∣∣∣ = negl(λ),
where x← Dλ, r ← Zp(λ), and ki ← Zp(λ).
Assumption 4. Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let Dλ be a family ofwell-spread distributions where the domain of Dλ is Zp(λ). Then for any n = poly(λ), for any PPT A,
Pr[gx ← A(ki, gkix+xii∈[2,...,n])] = negl(λ),
where x← Dλ and ki ← Zp(λ).
.
Lemma 8. Assumption 3 implies Assumption 4.
Proof. We first give the following intermediate assumption. For binary strings s1, s2, let 〈s1, s2〉 denote theirinner product mod 2.
Assumption 5. Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let σ : Gλ → 0, 1`(λ) be anarbitrary embedding of group elements into binary strings. Let Dλ be a family of well-spread distributionswhere the domain of Dλ is Zp(λ). Then for any n = poly(λ), for any PPT A,∣∣∣Pr[A(s, 〈s, σ(gx)〉, ki, gkix+xii∈[2,...,n]) = 1]
− Pr[A(s, 〈s, σ(gx)〉, ki, gkir+ri
i∈[2,...,n]) = 1]∣∣∣ = negl(λ),
where x← Dλ, r ← Zp(λ), ki ← Zp(λ), and s← 0, 1`(λ).
First we argue that Assumption 3 implies Assumption 5. Say there exists an adversary A and well-spread distribution ensemble Dλ such that A breaks Assumption 5. Then for infinitely many λ, there
exists a fixed string s∗λ for which A distinguishes with 1/poly(λ) advantage. Let D(0)λ be the distribution
Dλ restricted to x such that 〈s∗λ, σ(gx)〉 = 0 and define D(1)λ analogously. Now there are two cases. If
Pr[〈s∗λ, σ(gx)〉 = b | x← Dλ] = negl(λ) for some bit b, then A must break Assumption 3 when x← D(1−b)λ ,
sinceD(1−b)λ is negligibly close toDλ, and since (s, 〈s, σ(gx)〉) can be fixed to be constant parameters (s∗λ, 1−b).
Otherwise, both D(0)λ and D(1)
λ have ω(log(λ)) min-entropy. Obverse that there must be a fixed bit b forwhich A distinguishes with 1/poly(λ) advantage when s = s∗λ and 〈s∗λ, σ(gx)〉 = b. But this is exactly the
Assumption 3 distinguishing game with well-spread distribution D(b)λ . Thus there exists a distribution for
which A breaks Assumption 3 for infinitely many settings of λ.Next we argue that Assumption 5 implies Assumption 4. Assume the existence of an adversary A that
succeeds in the Assumption 4 game with non-negligible probability ε(λ). Consider the following reduction
B that takes as input s, b := 〈s, σ(gx)〉 and either ki, gkix+xii∈[2,...,n] or ki, gkir+rii∈[2,...,n]. It forwards
its set of n− 1 group elements to A, which returns some group element h. B outputs 1 if 〈s, σ(h)〉 = b. If Breceived ki, gkir+rii∈[2,...,n], then the view of A is independent of s and gx. Thus we can imagine drawings and x after A has returned the group element h. We condition on h 6= gx, which occurs with overwhelmingprobability due the min-entropy requirement on x. Then the probability B outputs 1 is the probability that〈s, (σ(gx) − σ(h))〉 = 0, which is exactly 1/2 since σ(gx) − σ(h) 6= 0`(λ). So overall, the probability that Boutputs 1 is at most 1/2 + negl(λ). Now if B received ki, gkix+xii∈[2,...,n], then with probability ε(λ), Areturns h = gx and with probability 1 − ε(λ), A returns h = gy for some y 6= x. Since s is independent
25
of A’s view, we can use the same argument to show that in this latter case, B outputs 1 with probabilityexactly 1/2. In the former case, B outputs 1 with probability 1. Then overall, B outputs 1 with probability
ε(λ) + 12 (1− ε(λ)) = 1
2 + ε(λ)2 , which is non-negligibly greater 1
2 + negl(λ), thus breaking Assumption 5.
6.3 The Obfuscator
Our obfuscation consists of three scalars and three group elements. We remark that the first group elementis sufficient for our proof on non-malleability, but that we include the next two to obtain functionalitypreservation.
• Obf(1λ, x): Compute GroupGen(1λ) = (Gλ, g, p(λ)). Draw a, b, c← Zp(λ) and output
a, b, c, gax+x2+x3+x4+x5
, gbx+x6
, gcx+x7
.
• Eval(1λ, (a, b, c, ha, hb, hc), x): Compute GroupGen(1λ) = (Gλ, g, p(λ)). Accept if and only if
ha = gax+x2+x3+x4+x5
, hb = gbx+x6
, hc = gcx+x7
.
Theorem 8. The above point obfuscator satisfies functionality preservation.
Proof. Fix a point x ∈ Zp(λ). We show the probability that there exists a y 6= x such that Eval(1λ,Obf(1λ, x), y)accepts is at most 4/p(λ)2. Union bounding over all x completes the proof.
The randomness in Obf consists of the elements a, b, c. Fix just a for now and let t = ax+x2+x3+x4+x5.Then any y which causes Eval to accept satisfies ay+y2+y3+y4+y5 = t. This leaves four possible y 6= x. Foreach such y, we write P (b) = (x6−y6)+(x−y)b and Q(c) = (x7−y7)+(x−y)c which are linear polynomialsover b and c respectively with non-zero linear coefficient. Then y only causes Eval to accept if P (b) = 0 andP (c) = 0. But these occur simultaneously with probability 1/p(λ)2 over the uniform randomness of b, c. Soby a union bound, there exists a y 6= x such that Eval(1λ,Obf(1λ, x), y) accepts with probability at most4/p(λ)2.
Theorem 9. Under Assumption 3, the above point obfuscator satisfies Virtual Black Box Security.
Proof. The obfuscator satisfies distributional indistinguishability, which follows directly from Assumption 3with n = 7. A reduction simply receives ki, hii∈[2,...,7] and forms the obfuscation (
∑5i=2 ki, k6, k7,
∏5i=2 hi, h6, h7).
As mentioned earlier, this is equivalent to VBB security.
Theorem 10. Let Dλ be a well-spread distribution ensemble with domain Zp(λ)λ. Let Fpoly = fλ :Zp(λ) → Zp(λ)λ be the ensemble of functions where fλ is the set of non-constant, non-identity polynomials 19
in Zp(λ)[x] with poly(λ) degree. Then under Assumption 3, the above obfuscator is non-malleable for Fpolyand distribution ensemble Dλ.
Proof. First, we fix the verifier to check that the Eval circuit is using the g output by GroupGen(1λ). Now weshow that any mauling adversary A can be used to break Assumption 4, which as seen above follows fromAssumption 3.
We first handle the case where A outputs an f of degree at least 2. Let m ≥ 2 be the degree of A’spolynomial. We define the following reduction B.
• Receive ki, hii∈[2,...,7m] := ki, gkix+xii∈[2,...,7m] from the Assumption 4 challenger, where x← Dλ.
19Note that constant and identity polynomials correspond to ‘trivial’ mauling attacks that cannot be prevented. A constantpolynomial corresponds to picking an unrelated y and obfuscating y, while the identity polynomial corresponds to doing nothing.
26
• Send (∑5i=2 ki, k6, k7,
∏5i=2 hi, h6, h7) to A, which returns (f, a, b, c, ja, jb, jc) where a, b, c ∈ Zp(λ) and
ja, jb, jc are group elements.
• Compute cf(x) + f(x)7 = `0 + `1x+ · · ·+ `7mx7m.
• Return (jc/(g`0∏7mi=2(h`ii )))1/(`1−
∑7mi=2 ki`i).
B perfectly simulates the obfuscation for x← Dλ for A, which is guaranteed to return a valid obfuscationof f(x) with 1/poly(λ) probability. In this case, fc = g`0+`1x+···+`7mx7m
. Then B successfully computes gx
unless `1−∑7mi=2 ki`i = 0. We know that `7m 6= 0 and that k7m is uniformly random and independent of A’s
view, so this occurs with probability at most 1/p(λ) = negl(λ). Thus, B breaks Assumption 4 with 1/poly(λ)probability.
In the case that f is linear, we set up the same reduction B, except for the last two steps.
• Compute af(x) + f(x)2 + f(x)3 + f(x)4 + f(x)5 = `0 + `1x+ · · ·+ `5x5.
• Return (ja/(g`0∏5i=2(h`ii )))1/(`1−
∑5i=2 ki`i).
Like before, it suffices to argue that `1 −∑5i=2 ki`i 6= 0 except with negligible probability. In this case,
the adversary receives z := k2 + k3 + k4 + k5. Thus letting k5 = z − k2 − k3 − k4, there are 3 free variablesk2, k3, k4 in A’s view. We can then re-write `1 −
∑5i=2 ki`i 6= 0 as
`1 − `5z + (`5 − `2)k2 + (`5 − `3)k3 + (`5 − `4)k4.
So in order for this to evaluate to 0 with non-negligible probability, each of the coefficients on k2, k3, k4
must be 0. Let f(x) = rx+ s. Then writing out what the `i are, we see that the following must hold.
r5 = 5r4s+ r4 = 10r3s2 + 4r3s+ r3 = 10r2s3 + 6r2s2 + 3r2s+ r2
It is easily verified that the only solutions to the above system are when r = 0 or (r = 1, s = 0).These correspond to when f is constant or the identity, so we can conclude that if A succeeds in breakingnon-malleability, B breaks Assumption 4 with 1/poly(λ) probability.
7 Justifying Assumptions in the Generic Group Model
We will need some additional background from [CDG18], plus a couple of new simple lemmas. Note thatwhile we make use of techniques from [CDG18] that establish theorems relating the AI-GGM and BF-GGM,we never technically operate in the BF-GGM. We need a more fine-grained approach, starting in the plainGGM and modifying the labeling function and challenger’s game incrementally.
7.1 Background
Definition 11 ([CDG18]). An (N,M)-injection source Σ is a random variable that takes on as value functiontables corresponding to injections σ : [N ]→ [M ]. An (N,M)-injection source Σ is called (P,L, 1− δ)-densefor L ⊆ [M ] if it is fixed on at most P coordinates and if for every subset I of non-fixed coordinates,
H∞(ΣI) ≥ (1− δ) log
((N − P )!
(N − P − |I|)!
),
where ΣI is the random variable Σ restricted to the coordinates in I. When δ = 0, the source is called(P,L)-fixed.
27
Remark 3. We denote by AΣ an algorithm that has oracle access to an injection σ drawn from the sourceΣ. This means that A can perform forward queries where on input x the oracle returns σ(x) or backwardqueries where on input x the oracle returns σ−1(x).
Lemma 9 ([CDG18]). Let Σ be a uniform (N,M)-injection source and f : [M ][N ] → 0, 1S a potentiallyrandomized function. Let Σf,x,L be the random variable corresponding to the distribution of Σ conditionedon f(Σ) = x and im(Σ) = L. Then for any γ > 0, P ∈ N, there exists a family Yx,Lx,L, indexed by
values x ∈ 0, 1S and size-N subsets L of [M ], of convex combinations Yx,L of (P,L, 1− S+log(1/γ)P log(N/e) )-dense
sources, such that Σf,x,L is γ-close to Yx,L. Furthermore, replacing each Yx,L with its corresponding convexcombination Zx,L of (P,L)-fixed sources, we have that for any distinguisher D taking an S-bit input andmaking at most T queries to its injection oracle,
|Pr[DΣ(f(Σ)) = 1]− Pr[DZf(Σ),im(Σ)(f(Σ)) = 1]| ≤ 2(S + log 1/γ) · TP
+ γ.
The above is actually slightly modified from the statement in [CDG18], with the only difference being thatwe allow f to be randomized. The only place in their proof that makes use of f being deterministic is Claim19, essentially that (where everything is conditioned on some range L), Ex[H∞(Σ|f(Σ) = x)] ≥ log(N !)−S.Their proof of this claim can easily be adapted to allow randomized f . Say that f uses k uniformly randombits. Then define the deterministic function f ′ : 0, 1k × [N ][N ] → 0, 1S that runs f using its first inputas the randomness. Let K be the random variable corresponding to drawing a uniformly random string in0, 1k. Now by averaging, we have that for any x, H∞(Σ|X = x) ≥ H∞((K,Σ)|X = x)−k. Then, followingthe proof in [CDG18],
Ex[H∞(Σ|f(Σ) = x)] ≥ Ex[H∞((K,Σ)|f ′(K,Σ) = x)]− k= Ex[H((K,Σ)|f ′(K,Σ) = x)]− k ≥ log(N !) + k − S − k = log(N !)− S,
where H is Shannon entropy, and the equality is due to the fact that conditioned on x, (K,Σ) is uniformover all values (r, σ) such that f ′(r, σ) = x.
Lemma 10 ([CDG18]). For any (P,N, 1−δ)-dense (N,N)-injection (bijection) source Y and its correspond-ing (P,N)-fixed source Z, it holds that for any (adaptive) distinguisher D that makes at most T queries toits oracle,
|Pr[DY = 1]− Pr[DZ = 1]| ≤ Tδ logN.
Now we give two additional lemmas, useful for proving Theorem 11.
Lemma 11. Let Σ be a uniform (N,N)-injection (bijection) source with log(N) = Θ(λ) and f : [N ][N ] →0, 1S a potentially randomized function. Let Σ′ be the random variable on σ′ that results from drawing σ ←Σ, x ← f(σ), and then σ′ ← Σf,x,[N ] defined in Lemma 9. Say that for all σ, H∞(X|Σ = σ) = ω(log(λ)).Then
EΣ′ [maxxPr[X = x|Σ′ = σ]] = negl(λ).
Proof. With two applications of Bayes’ Theorem, we see that for any x ∈ 0, 1S
Pr[X = x|Σ′ = σ] =Pr[Σ′ = σ|X = x] Pr[X = x]
Pr[Σ′ = σ]=
Pr[Σ = σ|X = x] Pr[X = x]
Pr[Σ′ = σ]
=
(Pr[X=x|Σ=σ] Pr[Σ=σ]
Pr[X=x]
)Pr[X = x]
Pr[Σ′ = σ]= Pr[X = x|Σ = σ]
(Pr[Σ = σ]
Pr[Σ′ = σ]
).
So plugging in,
28
EΣ′ [maxxPr[X = x|Σ′ = σ]] =
∑σ
maxxPr[X = x|Σ′ = σ]Pr[Σ′ = σ]
=∑σ
maxxPr[X = x|Σ = σ] Pr[Σ = σ] ≤ max
x,σPr[X = x|Σ = σ] = negl(λ).
Lemma 12. Consider n events X1, . . . , Xn such that each event occurs with probability at least α, where
α > 2/n. Then for a uniformly random i, j ← [n], Pr[Xi ∧Xj ] ≥ α2
4 .
Proof. Let m = 2/α < n. Picking a uniform pair i, j is equivalent to picking a uniform subset of size m andthen picking i, j from that set. Let Y1, ..., Ym be these m events, where each still occurs with probability atleast α. Then
1 ≥ Pr[Y1 ∨ · · · ∨ Ym] ≥∑
1≤i≤m
Pr[Yi]−∑
1≤i<j≤m
Pr[Yi ∧ Yj ]
=∑
1≤i≤m
Pr[Yi]−m2 Pr[Yi ∧ Yj : i, j ← [m]]
≥ mα−m2 Pr[Yi ∧ Yj : i, j ← [m]].
Solving for Pr[Yi ∧ Yj : i, j ← [m]] gives 1m (α− 1
m ) = α2
4 .
.
7.2 Proofs
Theorem 11. Assumption 3 (Section 6) holds in the Generic Group Model.
Proof. We define the following hybrid games.
• Hybrid 0. The Assumption 3 distinguishing game for generic adversary A.
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
The challenger C receives as input (Gλ, g, p, σ, x), chooses b ← 0, 1, r, ki ← Zp for i ∈ [2, ..., n], andinitializes the adversary A with ki, σ(b(kix+xi)+(1−b)(kir+ri))i∈[2,...n]. The challenger C proceedsto implement the generic group oracle for A, after which A outputs a guess b′ ∈ 0, 1. A wins if b′ = b.
• Hybrid 1. In this hybrid, we switch to a “bit-fixing” labeling σ′.
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
Let Zx,im(σ) be the family defined as in Lemma 9 (parameterized by some P ∈ N and γ := 1/2λ).Sample σ′ ← Zx,im(σ)
The challenger C receives as input (Gλ, g, p, σ′, x), chooses b ← 0, 1, r, ki ← Zp for i ∈ [2, ..., n],and initializes the adversary A with ki, σ′(b(kix+ xi) + (1− b)(kir + ri))i∈[2,...n]. The challenger Cproceeds to implement the generic group oracle for A, after which A outputs a guess b′ ∈ 0, 1. Awins if b′ = b.
29
Now we assume the existence of an adversary A that makes T (λ) = poly(λ) queries and attains non-negligible advantage ε(λ) in Hybrid 0. Let q(λ) = poly(λ) be such that q(λ) > 1/ε(λ) for infinitely manyλ. Let T := T (λ) and q := q(λ). Set P = 30λT 4q = poly(λ).
Claim 1. A attains advantage at least 1/2q in Hybrid 1.
Consider the following distinguisher D(x), which interacts with an oracle injection source mapping [p]→[p′], and receives as input x ← S(σ). D simulates the interaction between C and A described in Hybrid 0and outputs a bit indicating whether A was successful or not. If the injection source that D is interactingwith is σ, then the simulation is exactly Hybrid 0. If it is Zx,im(σ), then the simulation is exactly Hybrid1.
Applying Lemma 9 with the sampler x ← S(σ) as the function f , we have that the success probabilityof A in Hybrid 1 must be at least
ε(λ)− 2T (log p+ log(1/γ))
P− γ ≥ 1
q− 4λT
30λT 4q− 1
2λ≥ 1
2q.
We show that A obtaining this advantage leads to a contradiction. Condition on im(σ) = L for someL where A obtains at least advantage 1/2q. Here Σ is defined as in Lemma 9, except [M ] is fixed to beL, resulting in a bijection source. We drop subscripts from the associated distributions, so Yx := Yx,L,
Zx := Zx,L, and Σx := ΣS,x,L. The distribution Zx is a convex combination of bit-fixing distributions B(j)x
with associated fixed points P(j)x . Let this convex combination be Jx. So to draw σ′ from Zx, we draw
j ← Jx, then σ′ ← B(j)x .
Now we analyze the adversary’s generic group oracle queries. Any query A makes can be viewed as alinear polynomial over its challenge elements
`1 +
n∑i=2
`i(b(kix+ xi) + (1− b)(kir + ri)),
specified by coefficients [`1, ..., `n]. We split these queries into two parts based on whether the linear poly-nomial is constant or non-constant over the challenge elements (whether there is some i ∈ [2, ..., n] suchthat `i 6= 0). We will consider each initial handle that A receives as a non-constant query where `i = 1 forsome i and `j = 0 for j 6= i. Assume without loss of generality that all of A’s queries are distinct linearcombinations.
Note that constant queries are identically distributed in the b = 0 and b = 1 cases. Let Tc denote theset of constants that are queried by A throughout its interaction. Then observe that if, for both settings of
b, all of A’s non-constant queries result in distinct group elements that each lie outside of the set P(j)x ∪ Tc,
the oracle responses are identically distributed in both cases. Now, for any T -query adversary that at somepoint queries two distinct non-constant linear polynomials that evaluate to the same point, we can definea T 2-query adversary that at some point queries a non-constant linear polynomial that evaluates to zero.Redefine A to be this latter adversary. Thus if A distinguishes, it must at some point form a non-constant
query that evaluates to a value in P(j)x ∪ Tc ∪ 0.
For a given query t, let T (t)c denote the set of constants among the first t queries made by A. There must
exist some query t such that both of the following hold with probability 1/(2qT 2).
• t is non-constant and evaluates to an element in P(j)x ∪T (t)
c ∪0 OR t is a constant c and there existsan earlier non-constant query t′ such that query t′ evaluates to c
• all previous non-constant queries (except perhaps t′) evaluate to an element outside of P(j)x ∪T (t)
c ∪0
Otherwise, by a union bound, A could not obtain distinguishing success 1/(2q). Note that every non-
constant query prior to t except perhaps t′ is answered with a uniformly random value in L\ im(P(j)x ∪T (t)
c ∪
30
0). Since |P(j)x ∪ T (t)
c ∪ 0| = poly(λ), we can imagine instead drawing each response uniformly from L,which by a union bound will change A’s view with negligible probability. Then A can simulate these answersitself with uniform randomness, with a negligible difference in success probability.
Now we are left with an adversary A that takes as input ki := kii∈[2,...,n], makes at most T 2 queriesto σ′, and outputs a set of coefficients [`1, ..., `n] (representing the non-constant query t or t′). Define
P ′(j)x := P(j)x ∪ T (t)
c ∪ 0.Now we break up the analysis into whether b = 0 or b = 1. If b = 0, we are guaranteed that with
probability 1/(2qT 2)−negl(λ) = 1/poly(λ) over all randomness in the game setup, ki, and A, the followingholds.
`1 +
n∑i=2
`i(kir + ri) ∈ P ′(j)x
But note that r is drawn uniformly at random from a set of size p, independently of A’s view. Thus bySchwartz-Zippel and a union bound, the above holds with probability at most (T 2 + P + 1)n/p = negl(λ).
Now let b = 1. We are guaranteed that with probability 1/(2qT 2) − negl(λ) over all randomness in thegame setup, ki, and A, the following holds:
`1 +
n∑i=2
`i(kix+ xi) ∈ P ′(j)x .
Redefine A to output the above polynomial Q(x) ∈ Zp[x] on input ki. Now accounting for all random-ness during the course of the game, we have that
Prσ←Σ,x←S(σ),j←Jx,σ′←B(j)
x ,ki←Zn−1p ,A
[Q(x) ∈ P ′(j)x : Q← Aσ′(ki)] =
1
2qT 2− negl(λ).
Now we switch the distribution on σ′ from Z = Zxx to Y = Yxx. We can still represent Yx in the
same way as Zx except the B(j)x ’s are replaced by (P, 1 − δ)-dense sources D(j)
x . Referring to the Lemma 9statement, we have that
δ ≤ 2λ+ log 1/γ
P log(p/e)≤ 1
10T 4q log(p/e).
Now assume towards contradiction that this switch in distribution causes the adversary’s success tobecome at most 1/(4qT 2). Then there must exist some fixed choice of σ, x and j such that A’s difference insuccess over σ′ and its input is at least 1/(4qT 2)− negl(λ). So we have
Prσ′←B(j)
x ,ki←Zn−1p ,A
[Q(x) ∈ P ′(j)x : Q← Aσ′(ki)]−
Prσ′←D(j)
x ,ki←Zn−1p ,A
[Q(x) ∈ P ′(j)x : Q← Aσ′(ki)] ≥
1
4qT 2− negl(λ).
But now we can define a distinguisher that contradicts Lemma 10. The distinguisher knows the fixed x
and the set of fixed points P(j)x , and interacts with either B(j)
x or D(j)x , simulating A making T 2 queries. It
can tell whether A succeeds by plugging x into the polynomial produced and comparing the result to theset of fixed points and the set of queries made by A. Yet it can only distinguish with probability at mostT 2δ log p ≤ 1/(5qT 2) which is a contradiction.
Now we imagine picking c uniformly at random from P ′(j)x . Since 1/(4qT 2) = 1/poly(λ) and |P ′(j)x | ≤T 2 + P + 1 = poly(λ), we can say that
Prσ←Σ,x←S(σ),j←Jx,σ′←D(j)
x ,
c←P′(j)x ,ki←Zn−1p ,A
[Q(x) = c : Q← Aσ′(ki)] =
1
poly(λ).
31
Now there must exist a 1/poly(λ) fraction of ki such that the above holds with probability 1/poly(λ)on each of those inputs. Denote this set K, where Ki denotes the ith element of the set. We also now giveσ′ as an input to A rather than just giving it oracle access. So we have
Prσ←Σ,x←S(σ),j←Jx,σ′←D(j)
x ,c←P′(j)x ,A
[Q(x) = c : Q← A(σ′,Ki)] =1
poly(λ)∀i ∈ [|K|].
Then by Lemma 12, noting that |K| = ω(poly(λ)),
Prσ←Σ,x←S(σ),j←Jx,σ′←D(j)
x ,
c←P′(j)x ,A,i1,i2←[|K|]
[Q1(x) = c = Q2(x) :
Q1 ← A(σ′,Ki1)Q2 ← A(σ′,Ki2)
]=
1
poly(λ).
Thus we can get rid of c, and are guaranteed that
Prσ←Σ,x←S(σ),j←J ,xσ′←D(j)
x ,A,i1,i2←[|K|]
[Q1(x)−Q2(x) = 0 :
Q1 ← A(σ′,Ki1)Q2 ← A(σ′,Ki2)
]=
1
poly(λ).
Now since K is a 1/poly(λ) fraction of the entire domain of ki, we can instead pick these sets from theentire domain, and with 1/poly(λ) probability they will both lie in K. This gives
Prσ←Σ,x←S(σ),j←Jx,σ′←D(j)
x ,
A,k(1)i ,k
(2)i ←Z
n−1p
[Q1(x)−Q2(x) = 0 :
Q1 ← A(σ′, k(1)i )
Q2 ← A(σ′, k(2)i )
]=
1
poly(λ).
Now we look at the probability that Q1 and Q2 are distinct polynomials. For any fixed Q, there are atmost a 1/p fraction of sets ki such that A(ki) could possibly output Q. This follows since given someki, the coefficients on x2, ..., xn in Q determine the `2, ..., `n in A’s linear combination. Then there remainsa 1/p chance that the `i and ki dot product to the correct linear coefficient in Q. So for uniformly
random choice of the k(1)i and k(2)
i sets, there is a negl(λ) chance that the resulting Q1 and Q2 outputby A could possibly be equal.
Let E1 be the event that Q1(x) − Q2(x) = 0 and E2 be the event that Q1 6= Q2. We want to say thatPr[E1 ∧ E2] = 1/poly(λ). This follows from a simple union bound: Pr[E1 ∧ E2] = 1 − Pr[¬E1 ∨ ¬E2] ≥1− Pr[¬E1]− Pr[¬E2] = 1− (1− 1/poly(λ))− negl(λ) = 1/poly(λ).
So we redefine A to generate two random sets k(1)i and k(2)
i for itself, determine the polynomialsQ1 and Q2, solve for the roots of Q1 − Q2, and output a uniformly random root. Note that the degree ofQ1 −Q2 will be at most n = poly(λ). Thus the following holds:
Prσ←Σ,x←S(σ),σ′←Yx,A
[x← A(σ′)] =1
poly(λ).
Now we can switch Yx to Σx, and claim that
Prσ←Σ,x←S(σ),σ′←Σx,A
[x← A(σ′)] =1
poly(λ).
If instead A’s success was negligible after this switch, then there exists a fixed x for which the differencein success is 1/poly(λ). But Yx and Σx are γ-close with γ = 1/2λ = negl(λ) so this is impossible. Then, wecan write
Prσ′←Σ′,A
[x← A(σ′)] =1
poly(λ),
where Σ′ is defined as in Lemma 11. This contradicts Lemma 11.
32
7.3 Generic Hardness of DDH-II
Assumption 6. (f-DDH-II) Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let Dλλ be afamily of well-spread distributions where the domain of Dλ is Zp(λ). Then for any PPT A,
|Pr[A(gx, gr, gxr) = 1]− Pr[A(gx, gr, gs) = 1]| = negl(λ),
where x← Dλ, and r, s← Zp(λ).
Theorem 12. Assumption 6 holds in the Generic Group Model.
Note that this trivially implies generic security of r-DDH-II.
Proof. We define the following sequence of hybrid games.
• Hybrid 0. The Assumption 6 distinguishing game for generic adversary A.
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
The challenger C receives as input (Gλ, g, p, σ, x), picks a random challenge bit b← 0, 1, and samplesuniformly random r, s ← Zp. It initializes the adversary A with (σ(1), σ(x), σ(r), σ(bxr + (1 − b)s)).The challenger C proceeds to implement the generic group oracle for A, after which A outputs a guessb′ ∈ 0, 1. A wins if b′ = b.
• Hybrid 1. In this hybrid, we switch to a bit-fixed labeling σ′
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
Let Zx,im(σ) be the family defined as in Lemma 9 (parameterized by some P ∈ N and γ := 1/2λ).Sample σ′ ← Zx,im(σ), letting P denote the fixed points between σ and σ′.
The challenger C receives as input (Gλ, g, p, σ′, x), picks a random challenge bit b← 0, 1, and samplesuniformly random r, s← Zp. It initializes the adversary A with (σ′(1), σ′(x), σ′(r), σ′(bxr+ (1− b)s)).The challenger C proceeds to implement the generic group oracle for A, after which A outputs a guessb′ ∈ 0, 1. A wins if b′ = b.
• Hybrid 2. In this hybrid, we switch s, r from uniformly random values to formal variables s, r.
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
Let Zx,im(σ) be the family defined as in Lemma 9 (parameterized by some P ∈ N and γ := 1/2λ).Sample σ′ ← Zx,im(σ), letting P denote the fixed points between σ and σ′.
The challenger C receives as input (Gλ, g, p, σ′,P, x), and picks a random challenge bit b← 0, 1. Fixformal variables r, s. The challenger C interprets the intial elements given to A and A’s oracle queriesas formal polynomials over Zp[r, s], and responds differently based on the resulting formal polynomial.If the polynomial is a constant value k with no dependence on r or s, C answers with σ′(k) as in Hybrid1. Otherwise, C samples a uniformly random value from im(σ′)\ im(P) and responds with this (unlessthe formal polynomial has been queried before, in which case C responds with the label it returned onthe earlier query). A outputs a guess b′ ∈ 0, 1, and A wins if b′ = b.
• Hybrid 3. In this hybrid, we change the game. We don’t consider formal variables r, s, or have thechallenger pick b. Instead, we only give A the handle σ′(x) and require that it return the value x tobe considered successful.
33
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
Let Zx,im(σ) be the family defined as in Lemma 9 (parameterized by some P ∈ N and γ := 1/2λ).Sample σ′ ← Zx,im(σ), letting P denote the fixed points between σ and σ′.
The challenger C receives as input (Gλ, g, p, σ′, x). It initializes the adversary A with (σ′(1), σ′(x)) andproceeds to implement the generic group oracle with σ′. A then outputs a guess x′ for x and wins ifx′ = x.
• Hybrid 4. In this hybrid, we move back to the original σ.
Let GroupGen(1λ) = (Gλ, g, p(λ)), where 2λ−1 < p(λ) < 2λ. Let p := p(λ). Sample a uniformly randominjection σ : [p]→ [p′] for an arbitrary p′ > p. Let S : [p′][p] → Zp be a possibly inefficient randomizedalgorithm such that H∞(S(σ)|σ) = ω(log(λ)). Sample x← S(σ).
The challenger C receives as input (Gλ, g, p, σ, x). It initializes the adversary A with (σ(1), σ(x)) andproceeds to implement the generic group oracle with σ. A then outputs a guess x′ for x and wins ifx′ = x.
Assume towards contradiction the existence of an adversary A making T (λ) = poly(λ) queries whichattains non-negligible advantage ε(λ) in Hybrid 0. Let q(λ) = poly(λ) be such that q(λ) > 1/ε(λ) forinfinitely many λ. Let T := T (λ) and q := q(λ). Set P = 24λTq = poly(λ).
Claim 2. A attains advantage at least 1/2q in Hybrid 1.
Consider the following distinguisher D(x), which interacts with an oracle injection source mapping [p]→[p′], and receives as input x ← S(σ). D simulates the interaction between C and A described in Hybrid 0and outputs a bit indicating whether A was successful or not. If the injection source that D is interactingwith is σ, then the simulation is exactly Hybrid 0. If it is Zx,im(σ), then the simulation is exactly Hybrid1.
Applying Lemma 9 with the sampler x ← S(σ) as the function f , we have that the success probabilityof A in Hybrid 1 must be at least
ε(λ)− 2T (log p+ λ)
P− 1
2λ≥ 1
q− 4λT
24λTq− 1
2λ≥ 1
2q.
Claim 3. A attains advantage at least 1/2q − negl(λ) in Hybrid 2.
Let c(t)1 σ′(x) + c(t)2 σ′(r) + c
(t)3 σ′(bxr + (1− b)s) + c
(t)4 σ′(1)t∈[T ] be the set of A’s queries. We consider
separately whether b = 0 or 1.
If b = 0, then in Hybrid 2 we have that each query is of the form c(t)3 s + c
(t)2 r + (c
(t)1 x + c
(t)4 ). Let T ′
be the set of queries for which c(t)3 , c
(t)2 = 0. We define the set S to be the set of points that result from
queries in T ′, combined with the set of fixed points P. Then if all queries outside of T ′ evaluate to distinctpoints not in S, then A sees exactly the same distribution in Hybrid 1 as in Hybrid 2. This event canbe seen as a collection of linear polynomials over s and r, where at least one evaluates to 0. The number ofsuch polynomials is at most (T − |T ′|)(P + |T ′|) + (T − |T ′|)2 ≤ TP + 2T 2 = poly(λ). But over the uniformrandomness of r, s, each individually goes to zero with probability 1/p = negl(λ). Thus the probability thatA can distinguish is negl(λ).
Now if b = 1, each query in Hybrid 2 is of the form (c(t)3 x + c
(t)2 )r + (c
(t)1 x + c
(t)4 ). We have the same
argument as in the b = 0 case, defining the set T ′ to consist of queries for which c(t)3 x + c
(t)2 = 0. The rest
of the argument is identical, and we get that A can distinguish with negl(λ) probability.
Claim 4. There exists an A′ that makes at most 2T queries and attains advantage at least 1/2q − negl(λ)in Hybrid 3.
34
First we slightly alter Hybrid 2 to Hybrid 2a, where the challenger responds to non-constant polyno-mials over r and s with random values from im(σ′) rather than from im(σ′) \ im(P). By a union bound,the probability that this changes A’s view is at most TP/p = negl(λ).
Now we determine what events could cause A to distinguish between b = 0 and b = 1 in Hybrid 2a.First, it could form a query that is constant in one case but non-constant in the other. It is clear that if aquery is constant when b = 0, then it is constant when b = 1. On the other hand, if a query (c1, c2, c3, c4) isconstant when b = 1 and non-constant when b = 0, we must have that c3x+ c2 = 0 where either c2, c3 6= 0.This implies c3 6= 0. Second, it could form two non-constant queries that evaluate to the same element in onecase but not the other. Again, it is clear that if two queries evaluate to the same element when b = 0, thenthey do so when b = 1. On the other hand, if two queries (c1, c2, c3, c4) and (c′1, c
′2, c′3, c′4) evaluate to the
same element when b = 1 but not when b = 0, we must have that c3x+ c2 = c′3x+ c′2 and c1x+ c4 = c′1x+ c′4but either c3 6= c′3, c2 6= c′2, or c1x+ c4 6= c′1x+ c′4. This implies c3x+ c2 = c′3x+ c′2 where c3 6= c′3.
So we set up a reduction B that interacts with the Hybrid 3 game. B will simulate A’s view of Hybrid2a by considering formal variables s and r, choosing b ∈ 0, 1 and responding to queries that are constantover s and r via the Hybrid 3 challenger, and picking uniformly among im(σ′) otherwise. Additionally,on each of A’s queries such that c3 6= 0, it queries its oracle on c3σ
′(x) + c2 and stores the responses. If Asucceeds in Hybrid 2a, then eventually B will see the response σ′(0) or see same response twice on differentqueries. Either way, this gives B a non-zero linear equation over x, which it can solve. We let A′ be thecombination of B and A, noting that A′ makes at most 2 times as many generic group queries as A.
Claim 5. A′ attains 1/poly(λ) advantage in Hybrid 4.
Consider the following distinguisher D(x), which interacts with an oracle injection source mapping [p]→[p′], and receives as input x ← S(σ). D simulates the interaction between C and A′ described in Hybrid3 and outputs a bit indicating whether A′ was successful or not (whether it correctly predicted x). If theinjection source that D is interacting with is σ′, then the simulation is exactly Hybrid 3. If the injectionsource that D is interacting with is Zx,im(σ), then the simulation is exactly Hybrid 4.
Applying Lemma 9 with the sampler x ← S(σ) as the function f , we have that the success probabilityof A′ in Hybrid 4 must be at least
1
2q− negl(λ)− 4T (log p+ λ)
P− 1
2λ=
1
2q− 8λT
24λTq− negl(λ) =
1
poly(λ).
Claim 6. Every adversary A′ with T = poly(λ) queries has negl(λ) advantage in Hybrid 4.
If A′(σ(1), σ(x)) outputs x with probability 1/poly(λ) when x is sampled from any Dλ with ω(log(λ))min-entropy, there must exist some ω(poly(λ))-size set S ⊂ Zp such that for all x ∈ S, A′(σ(x)) outputs xwith probability 1/poly(λ). Then for a uniformly random x ← Zp, it must be the case that A′(σ(1), σ(x))outputs x with probability at least (ω(poly(λ))/p) · (1/poly(λ)) = ω(poly(λ))/p, contradicting the genericdiscrete log lower bound of O(T 2/p) [Sho97].
8 Acknowledgements
We thank Justin Holmgren for collaboration in the early stages of this work and for contributing a numberof extremely valuable insights. We also thank Alon Rosen for helpful feedback regarding exposition andpresentation.
This material is based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227. Any opinions, findings and conclusions or recommendations expressed in this material are those ofthe author(s) and do not necessarily reflect the views of the ARO and DARPA.
35
References
[AJR08] Kristina Altmann, Tibor Jager, and Andy Rupp. On black-box ring extraction and integerfactorization. In Luca Aceto, Ivan Damgard, Leslie Ann Goldberg, Magnus M. Halldorsson,Anna Ingolfsdottir, and Igor Walukiewicz, editors, ICALP 2008, Part II, volume 5126 of LNCS,pages 437–448. Springer, Heidelberg, July 2008.
[AM09] Divesh Aggarwal and Ueli Maurer. Breaking RSA generically is equivalent to factoring. In An-toine Joux, editor, EUROCRYPT 2009, volume 5479 of LNCS, pages 36–53. Springer, Heidelberg,April 2009.
[BC10] Nir Bitansky and Ran Canetti. On strong simulation and composable point obfuscation. InTal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 520–537. Springer, Heidelberg,August 2010.
[BC14] Nir Bitansky and Ran Canetti. On strong simulation and composable point obfuscation. Journalof Cryptology, 27(2):317–357, April 2014.
[BCLN16] Joppe W. Bos, Craig Costello, Patrick Longa, and Michael Naehrig. Selecting elliptic curvesfor cryptography: an efficiency and security analysis. Journal of Cryptographic Engineering,6(4):259–286, Nov 2016.
[BF01] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. InJoe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 213–229. Springer, Heidelberg,August 2001.
[BFF+14] Gilles Barthe, Edvard Fagerholm, Dario Fiore, John C. Mitchell, Andre Scedrov, and BenediktSchmidt. Automated analysis of cryptographic assumptions in generic group models. In Juan A.Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 95–112. Springer, Heidelberg, August 2014.
[BGI+01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vad-han, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian, editor,CRYPTO 2001, volume 2139 of LNCS, pages 1–18. Springer, Heidelberg, August 2001.
[BL13] Daniel J. Bernstein and Tanja Lange. Non-uniform cracks in the concrete: The power of freeprecomputation. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part II, volume8270 of LNCS, pages 321–340. Springer, Heidelberg, December 2013.
[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designingefficient protocols. In V. Ashby, editor, ACM CCS 93, pages 62–73. ACM Press, November 1993.
[Bra94] Stefan Brands. Untraceable off-line cash in wallets with observers (extended abstract). In Dou-glas R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 302–318. Springer, Heidelberg,August 1994.
[BS02] Dan Boneh and Alice Silverberg. Applications of multilinear forms to cryptography. Contempo-rary Mathematics, 324:71–90, 2002.
[BZ14] Dan Boneh and Mark Zhandry. Multiparty key exchange, efficient traitor tracing, and more fromindistinguishability obfuscation. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014,Part I, volume 8616 of LNCS, pages 480–499. Springer, Heidelberg, August 2014.
[Can97] Ran Canetti. Towards realizing random oracles: Hash functions that hide all partial information.In Burton S. Kaliski Jr., editor, CRYPTO’97, volume 1294 of LNCS, pages 455–469. Springer,Heidelberg, August 1997.
36
[CD08] Ran Canetti and Ronny Ramzi Dakdouk. Extractable perfectly one-way functions. In LucaAceto, Ivan Damgard, Leslie Ann Goldberg, Magnus M. Halldorsson, Anna Ingolfsdottir, andIgor Walukiewicz, editors, ICALP 2008, Part II, volume 5126 of LNCS, pages 449–460. Springer,Heidelberg, July 2008.
[CDG18] Sandro Coretti, Yevgeniy Dodis, and Siyao Guo. Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In Hovav Shacham and AlexandraBoldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS, pages 693–721. Springer,Heidelberg, August 2018.
[CDGS18] Sandro Coretti, Yevgeniy Dodis, Siyao Guo, and John P. Steinberger. Random oracles and non-uniformity. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part I,volume 10820 of LNCS, pages 227–258. Springer, Heidelberg, April / May 2018.
[CK18] Henry Corrigan-Gibbs and Dmitry Kogan. The discrete-logarithm problem with preprocessing.In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821of LNCS, pages 415–447. Springer, Heidelberg, April / May 2018.
[CS98] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure againstadaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO’98, volume 1462 ofLNCS, pages 13–25. Springer, Heidelberg, August 1998.
[CV09] Ran Canetti and Mayank Varia. Non-malleable obfuscation. In Omer Reingold, editor, TCC 2009,volume 5444 of LNCS, pages 73–90. Springer, Heidelberg, March 2009.
[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions onInformation Theory, 22(6):644–654, 1976.
[DHZ14] Ivan Damgard, Carmit Hazay, and Angela Zottarel. Short paper on the generic hardness ofddh-ii. 2014.
[DK02] Ivan Damgard and Maciej Koprowski. Generic lower bounds for root extraction and signatureschemes in general groups. In Lars R. Knudsen, editor, EUROCRYPT 2002, volume 2332 ofLNCS, pages 256–271. Springer, Heidelberg, April / May 2002.
[ElG84] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms.In G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of LNCS, pages 10–18.Springer, Heidelberg, August 1984.
[FF18] Peter Fenteany and Benjamin Fuller. Non-malleable digital lockers for efficiently sampleabledistributions. Cryptology ePrint Archive, Report 2018/957, 2018. https://eprint.iacr.org/
2018/957.
[Fuj16] Eiichiro Fujisaki. Improving practical uc-secure commitments based on the ddh assumption. InProceedings of the 10th International Conference on Security and Cryptography for Networks -Volume 9841, pages 257–272, Berlin, Heidelberg, 2016. Springer-Verlag.
[Gal12] Steven D Galbraith. Mathematics of public key cryptography. Cambridge University Press, 2012.
[GG11] Eran Gat and Shafi Goldwasser. Probabilistic search algorithms with unique answers andtheir cryptographic applications. Electronic Colloquium on Computational Complexity (ECCC),18:136, 2011.
[GK16] Shafi Goldwasser and Yael Tauman Kalai. Cryptographic assumptions: A position paper. InEyal Kushilevitz and Tal Malkin, editors, TCC 2016-A, Part I, volume 9562 of LNCS, pages505–522. Springer, Heidelberg, January 2016.
37
[KKS15] Jinsu Kim, Sungwook Kim, and Jae Hong Seo. Multilinear map via scale-invariant FHE: En-hancing security and efficiency. Cryptology ePrint Archive, Report 2015/992, 2015. https:
//ia.cr/2015/992.
[KL] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography, Second Edition.
[KLRZ08] Yael Tauman Kalai, Xin Li, Anup Rao, and David Zuckerman. Network extractor protocols. In49th FOCS, pages 654–663. IEEE Computer Society Press, October 2008.
[KY18a] Ilan Komargodski and Eylon Yogev. Another step towards realizing random oracles: Non-malleable point obfuscation. In Jesper Buus Nielsen and Vincent Rijmen, editors, EURO-CRYPT 2018, Part I, volume 10820 of LNCS, pages 259–279. Springer, Heidelberg, April / May2018.
[KY18b] Ilan Komargodski and Eylon Yogev. Another step towards realizing random oracles: Non-malleable point obfuscation. Cryptology ePrint Archive, Report 2018/149, 2018. https://ia.
cr/2018/149.
[LCH11] Hyung Tae Lee, Jung Hee Cheon, and Jin Hong. Accelerating ID-based encryption based ontrapdoor DL using pre-computation. Cryptology ePrint Archive, Report 2011/187, 2011. https://ia.cr/2011/187.
[Lip94] Richard J Lipton. Straight-line complexity and integer factorization. In International AlgorithmicNumber Theory Symposium, pages 71–79. Springer, 1994.
[Mau05] Ueli M. Maurer. Abstract models of computation in cryptography (invited paper). In Nigel P.Smart, editor, 10th IMA International Conference on Cryptography and Coding, volume 3796 ofLNCS, pages 1–12. Springer, Heidelberg, December 2005.
[Mih] J.P. Mihalcik. An analysis of algorithms for solving discrete logarithms in fixed groups.
[Nec94] V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. MathematicalNotes, 55(2):165–172, 1994.
[Sho97] Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor,EUROCRYPT’97, volume 1233 of LNCS, pages 256–266. Springer, Heidelberg, May 1997.
[Sho99] Victor Shoup. On formal models for secure key exchange. Technical Report RZ 3120, IBM, 1999.
[SS01] Ahmad-Reza Sadeghi and Michael Steiner. Assumptions related to discrete logarithms: Whysubtleties make a real difference. In Birgit Pfitzmann, editor, EUROCRYPT 2001, volume 2045of LNCS, pages 244–261. Springer, Heidelberg, May 2001.
[SS06] Amitabh Saxena and Ben Soh. A new cryptosystem based on hidden order groups. CryptologyePrint Archive, Report 2006/178, 2006. https://ia.cr/2006/178.
[Unr07] Dominique Unruh. Random oracles and auxiliary input. In Alfred Menezes, editor,CRYPTO 2007, volume 4622 of LNCS, pages 205–223. Springer, Heidelberg, August 2007.
[Wee05] Hoeteck Wee. On obfuscating point functions. In Harold N. Gabow and Ronald Fagin, editors,37th ACM STOC, pages 523–532. ACM Press, May 2005.
[Yun15] Aaram Yun. Generic hardness of the multiple discrete logarithm problem. In Elisabeth Oswaldand Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages 817–836.Springer, Heidelberg, April 2015.
38
[YYHK14] Takashi Yamakawa, Shota Yamada, Goichiro Hanaoka, and Noboru Kunihiro. Self-bilinear mapon unknown order groups from indistinguishability obfuscation and its applications. In Juan A.Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II, volume 8617 of LNCS, pages90–107. Springer, Heidelberg, August 2014.
[YYHK18] Takashi Yamakawa, Shota Yamada, Goichiro Hanaoka, and Noboru Kunihiro. Generic hardnessof inversion on ring and its relation to self-bilinear map. Cryptology ePrint Archive, Report2018/463, 2018. https://ia.cr/2018/463.
39
![Subsurface Stresses in Rolling & Sliding Machine Components [Sadeghi, Sui; Int.comp.Eng.conf., 1988]](https://img.pdfslide.us/doc/110x75/577cd14b1a28ab9e7894160a/subsurface-stresses-in-rolling-sliding-machine-components-sadeghi-sui.jpg)
![Casey Kneale, Kolia Sadeghi arXiv:1907.11129v1 [cs.LG] 25](https://img.pdfslide.us/doc/110x75/625908891d7cbc4c3e02b52c/casey-kneale-kolia-sadeghi-arxiv190711129v1-cslg-25-.jpg)
